Managing an effective information security program isn't about avoiding mistakes. No security program in the history of IT has ever been perfect and free of setbacks. Instead, you have to look at what has happened as feedback on what works and what doesn’t. Some people will try to make you think that all is well – safe and secure – in IT but that's hardly the case. In fact, it's impossible. And that’s okay. Without security adversity and challenges, there's no meaningful way to improve. The only way to get better is to make mistakes and learn from them so that improvements can be made over time.
I've had clients over the years tell me that they want to have the most secure network environment. In fact, I’ve even had people ask me to perform a security assessment of their environment but that they wanted the report to be clean - void of any flaws. Really!? Anyone who claims that their IT environment is fully secure is, at best, living in la la land. There are so many positive opportunities to be experienced and lessons to be learned when faced with adversity in security such as:
- What to do in order to sell yourself and your initiatives
- How to set users up for success
- Ways to prioritize the deployment and oversight of security policies, processes, and technologies
- What a distributed denial of service attack feels like
- How relentless malware can be
- How devoting time and effort to compliance is often unfruitful
- What "secure" really means
So many people in IT and security are afraid of getting into trouble in terms of security incident or breach that they do whatever it takes to make things look as if they're perfect in every way. I completely understand the premise of that behavior (covering one’s rear-end) but it really does nothing to solve the actual problem. Furthermore, it takes a lot of energy to constantly go around purporting as if everything is all good. You only end up fooling yourself and the very people who you're trying to get on board with your initiatives – executive management. It may seem as if this type of short-term posturing is helping but it’s not a long-term prescription for security success.
IT and security professionals who have never faced adversity rarely go on to do wonderful things in their careers. It's virtually guaranteed that mistakes and setbacks that you make and experience today will put you in a better position personally and professionally in the years to come. Don’t be careless or avoid the security basics. Address the common low-hanging fruit as soon as you possibly can. Understand what security really means and what it’s going to take to get there. Still, even with a reasonable security posture, adversity is just around the corner. Embrace this and use it to your advantage. Negativity (incidents, breaches, and the like) today can page huge positive dividends down the road. All it takes is changing your perspective.
IT and security professionals who have never faced adversity rarely go on to do wonderful things in their careers. It's virtually guaranteed that mistakes and setbacks that you make and experience today will put you in a better position personally and professionally in the years to come. Don’t be careless or avoid the security basics. Address the common low-hanging fruit as soon as you possibly can. Understand what security really means and what it’s going to take to get there. Still, even with a reasonable security posture, adversity is just around the corner. Embrace this and use it to your advantage. Negativity (incidents, breaches, and the like) today can page huge positive dividends down the road. All it takes is changing your perspective.
No comments:
Post a Comment