Every once in a while, I like to take a step back and look at just what it is that I as a Security and Risk professional am supposed to be doing for the people who seem to be regularly depositing money in to my bank account. Sometimes, getting caught up in the day to day tasks of keeping my company off of page 1 of the Wall Street Journal clouds the bigger picture. I sat down this weekend and gave this issue some thought and (at the risk of being accused of navel gazing) came up with the following thoughts on what we security people should be doing and why:
- The purpose of the Information Security/Risk Management function is to protect the organization and its stakeholders while enabling it to achieve its business goals. Information Security/Risk Management should not be the department that says “No,” it should be the department that says “Here’s how we can move forward – safely.”
- Understanding the goals of the organization and the processes, procedures and products used to meet those goals is vital to the work of Information Security and Risk Management. Every organization (and sometimes divisions within the organization) has a different risk appetite, leading to a unique set of policies, procedures and technologies.
- The foundation of Information Security and Risk Management is the organization’s people and culture. Technology certainly has a large role to play in building defenses, but a well educated and vigilant management team and work force (the “Human Firewall”) is the keystone of a successful information security program. Management’s choices as to risk must be informed and the CSRO must provide them with the information needed to make the right decisions.
- While “advanced persistent threats” and cutting edge attacks get a lot of press attention, most security breaches result from the organization’s failure to implement the boring, basic, but vital “Security 101” measures.
- Information security as a practice has changed significantly in the past decade. While once, we built moats and castle walls to keep the bad guys out of our networks, today we face attackers who can “parachute in” to an organization by taking control of an employee’s computer. Perimeter controls are still necessary, but networks must be able to withstand an attack from within.
- The Information Security and Risk professional must always be learning – about their organization, their industry as well as about new risks, threat actors and defensive techniques. Both the business and Security and Risk landscapes change daily and only by keeping pace with these changes can the Security and Risk professional remain relevant.