Security's Everyman

Security's Everyman

Tuesday, November 27, 2007

More from the "Great Thinkers" series

OK, so I don't have a great thinkers series but I think I'm gonna start one. One of my soap boxes is the need for IT and especially Information Security Professionals to quit thinking alike and start thinking about your specific needs and the best way to protect your company. That is key to really being successful. If you just follow best practices and the crowd you probably will be secure but you will never move beyond average. If that is what floats your boat then that's fine, but if you want to really make a difference and have the best chance to advance your career then you have to change the way you think. You have to keep on top of your game.

Rebecca Herold has a good post on her blog where she give advice on "elevator speeches". In essence she is telling us that we need to be prepared to sell our program, ideas, plans and such at a moments notice. We need to be prepared for the unexpected opportunities that sometimes come our way. It may be a ride in the elevator w/ the CEO when they ask you about your program. It may be that you get a call from your boss or your bosses boss. They want you to brief them on the status of your security program and they want it now or very shortly. What will you do? Have you thought about that possibility? Are you going to give them stats, charts and figures? Are you going to tell them about all the technology, policies, and such that you have in place? What about using this opportunity to give them a quick overview and at the same time sell them on the importance of the program and keeping it fresh and moving forward. If we tell them that we haven't had a breach and all is well then they may say "Great, Your doing a wonderful job. Keep up the good work!" Then they go on about their business and forget all about you. You don't get the funding you need for future projects and upgrades. You don't get the support you need to keep things going well. Then you get hit and it's your fault for letting it slip off their radar.

I'm not saying that you need to use FUD (Fear, Uncertainty, and Doubt) to keep them "afraid", but you need to know not only the status of your program but also what you need to keep it in good order. You need to think about how to best sell your program or at least keep it on the radar of management.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.