My favorite lyricist, Neil Peart of Rush, once wrote “Why does it happen? Because it happens.” Some deep lyrics on life that many people, unfortunately, apply to their information security programs. These people go through their days, months, and years, letting things “happen”. It could be a user unhappy about the security hoops he must jump through. It could be an executive who repeatedly says “No!” to security budget and initiatives. It could be a denial of service attack. Whatever the situation, it just happens. And life goes on. The motions. The reactiveness. The policies. The assumptions. The breaches.
To quote another song, this time from the TV show, Hee-Haw, it seems as if many people in security operate with the mindset of "Gloom, despair, and agony on me...If it weren't for bad luck, I'd have not luck at all". It's as if there's nothing that can be done. Every security problem that these people have is someone else's fault. There's always an excuse. One thing that's glaringly evident in business (and life in general) is that there are followers and there are leaders. Some people just take what comes their way, running themselves ragged constantly putting out fires. They're needed all the time, work long hours, yet they never get anything done. And the security challenges continue. I think these people secretly enjoy just where they're at. But that that's not doing the business any favors and certainly doesn't address the underlying business risks at play.
If you want to take control and ensure that bad choices and habits are not hindering your information security program, you might consider doing these things to get at the root the challenges and make improvements where they're needed:
- Step back and look at the bigger picture of where you currently are and how things can be improved. There's always something that can be resolved or done differently to improve security. Do this away from the office on a business retreat or personal vacation. Bring in an unbiased outside party to highlight the gaps if necessary. After all, it's hard to see the forest through the trees. The important thing is to ask yourself the brutal questions that you may have been avoiding up to this point. The answers to what needs to be done will surface.
- Get management and users on board with your security initiatives and, just as importantly, do what it takes to keep them interested. Information security is not a one-time deal. It's an ongoing philosophy. If they don't want to get on board or seem to be interested, then look inward. Your approach may be broken. You need to meet them where they're at, not where you want them to be.
- Building on my point above, focus on your non-technical skills. Information security is way more than bits and bytes.
Instead, it's about communication, relationships, and the business as a whole. You'll likely find that deficiencies in these areas are holding you back as much as any technical security issue. Odds are that most of the technical challenges you face can be resolved with improvements in the non-technical areas of your security program.
- Set reasonable goals that you can work on every day of every week and hold yourself accountable to see them through. It's the hopes, dreams, and wishes approach that sets everyone up for failure. Unfortunately, that's how many information security programs are run.
There's no one root cause of your security challenges. That said, they're often very predictable. If you want to see changes, it's up to you to make things happen. No one else is going to do it for you. Sure, there are others outside of IT and security who are ultimately responsible for security. But if you're in charge of day-to-day security then you need to be the driving force that makes things happen. The path of blaming others for your security shortcomings is tempting to go down – and it's very easy to stay on. But it's not for you. Let the other people who choose that path be the low-hanging fruit that malicious attackers prey on.