I'm really tempted to copy and paste this entire article here. Hoff nails it right on the head with this one. It's a no holes bared quick look at what we as Security Professionals need to know and understand. If we want a successful program then we have to look beyond the day to day things that often occupy our time. We have to move outside our self imposed little boxes and look at the big picture.
He gives a nod to Rothman's P-CSO in the intro to this and it does contain a lot of the same principles that Rothman and others (including myself) often preach.
Some of the Key points that I liked are:
- Measure something - like it or not if you can't measure it chances are that it won't last long or it will never get implemented. Management demands measurable results.
- Don't be a technology crack whore - technology is not the answer to everything. It may be fun to play with and it may look cool in the data center but if the processes aren't in place and the people don't understand them then technology will not work.
- Shut Up and listen - Our job is to secure and enable. We can't do this if we only tell the users what we want we have to listen to what they need.
- Learn to say yes by saying no and vise-versa - We often have to say "no" but we don't have to me rude about it and when we say no we need to explain why in a way that makes sense to the users.