I've never been one for New Year's resolutions. I've seen how they tend to exist only for short-term motivation rather than long-term achievement. Resolutions are just not specific enough and there's no tangible means for accomplishing anything of real value. Just check out your local gym by mid-February. It's all cleared out. The people who energetically vowed to make changes late last year have simply lost their resolve.
But it's not just a personal thing. The cycle of resolve-try-forget exists in our professional lives as well. If you manage an information security program or somehow have your hands in the IT risk equation, you have to be careful not to get on that diet-like roller coaster. You need a plan. You need specific steps to take. You have to hold yourself accountable. The very moment you say something high-level that you want to accomplish with your information security program – with no specific details or deadlines – is the very moment you hop on the road of good intentions. We all know where that leads.
For example, let's say you resolve to do the following for your security program this year:
- Do more security assessments
- Follow-up on security assessment results sooner
- Perform additional security monitoring
- Send more security awareness emails to users
- Not get hacked
- Talk to management about what's happening on the network
You write these down on a whiteboard in your conference room so everyone can see them. With your staff being exposed to these resolutions during your team weekly meetings, they'll keep them on the top of their minds and things will take care of themselves, right? Absolutely not! Just ask the guy who vowed to eat less and exercise more. He's not at the gym so you've got a better chance of tracking him down.
Take a look at each of the above resolutions. Notice anything missing? They're not specific. There are no documented steps that need to be taken to accomplish them. There are no deadlines. They're mere wishes. Dreams at best. If you want to start accomplishing things in information security, you have to get serious and document actual goals. You then have to “manage” your goals which means that you revisit them on a periodic and consistent basis, i.e. daily, and take steps every week to make each goal become reality. Goals are not all that different from security metrics that you might have. They're specific and tangible. They're also reasonable and attainable.
I'm convinced that if we were to look at the root causes of all the publicly-known breaches, we'd certainly see politics, ignorance, and downright bad luck at the root of all of them. But odds are excellent that we'd also see that the people in charge had no goals for managing information security or they were, at least, mismanaging them.
Take a look at your security program and determine what you want to accomplish this year. It'll be obvious but it won't be easy. It's up to you to make things happen. It takes more than resolve. It takes the proper philosophy and, most importantly, discipline.