I WAS A TEENAGE SECURITY WEREWOLF.
Well, loosely speaking, anyway. I wasn't really a teenager. But when it came to security, I was young and naive and all about the technology.
And then one day I had an epiphany: I realised that sometimes what I considered to be an unacceptable security practice could still be an acceptable business risk. It isn't important, really, how I got there. I finally realised I had been missing the point, attempting to throw the latest and greatest technology solutions at the security issues I had identified. And I began to see that it was impossible to assess a company's security program without understanding its culture and how the business management processes evolved within it.
Now, maybe that's not news to most people. But to me, it was a revelation that rocked my world. So I set off to transform myself from a technology werewolf to a more sophisticated security manager — a true career enhancement decision.
Reality set in on day one of my new job when I sat down with my security staff and outlined how we were going to review policies, practices and guidelines surrounding our security capabilities. We would take the organisation's enterprise security architecture to new heights. If the company's security architecture was at level six, we'd make it a seven. Or even an eight. I discovered pretty quickly that, when it came to security planning, my new company was really back at square one.
I should have guessed it right away. I remember worrying that something was missing during corporate's 10-hour new-hire orientation program. I didn't hear anything on computer security, let alone information technology in general. IT was simply not on the radar.
Digging deeper, I learned from the IT guys that the servers were "locked down," which gave the company the false notion that it was operating in a secure environment. The proverbial honeymoon was over before it even started.
Still, I was determined, so I set out to transform the psyche of my new company, convincing it that IT security has to start with understanding the business needs and then developing a strategy to address those needs.
Now, what we're all so fond of calling best practices can often be generic and unspecified recommendations from vendors or outside authorities that don't really understand the details of individual business needs. True best practices — whether security-specific or not — come from within. You need to understand how the business management processes evolved before you can prescribe any suggested practices.
Likewise, security compliance must come from within. My new company had been basing its security criteria on the assumptions of outside "authorities" rather than on what was actually happening within the business. But until you get a solid security policy in place, your organisation cannot even begin to communicate or implement security expectations, let alone train employees. Without a core security program, there is no compliance to security because there is nothing with which to comply.
As I see it now, there are four main beasts that may misalign any security program:
No senior management support. Even if programs appear to have senior management sponsorship and dedicated security budgets, they won't be accepted if employees see them as controlling, wasteful and unproductive.
Unreasonable directives. Does technology dictate your business objectives, or does your business dictate your technology needs?
Lack of communication. Sometimes, it's best to let senior management and users "discover" security practices.
Limited funding. Budgets are forever tight. Get innovative. Instead of purchasing the learning management system, see what infrastructure already exists.
Once a security program is outlined, you can use a consultant to help develop specific security capabilities to enhance it.
Every organisation is different. Its security needs will also differ. Try to identify and understand how the corporate culture dictates, adopts and evolves security initiatives. And remember: Communication and representation are key factors in your transformation into a successful security manager.
This column is written anonymously by a real CSO at a major corporation.