HDS Aware!

The Holy Trinity of Info Security (continued)

Information travels quickly, but threats to information move quicker. The security group must be free to ascertain an incident, call in appropriate personnel, perform "cyber-triage" and work with other systems staff and organizations to resolve the situation without having to ask "May I?" to non-technical managers at every step. However, don't expect this authority to be bestowed along with your business cards, you will have to earn it.

Your security group's freedom to operate autonomously depends completely on how well you have built relationship with both senior management and fellow division chiefs and their staffs. Nothing is worse than receiving a pager call and assembling your response team only to discover that the systems people for the system under attack have ignored your call for help or are not as committed to near-real-time incident response as your security team is. The commitment of other system administrators to cohesive security activity depends on your interaction with them during non-crises.

You are human, you do NOT know it all. You need the help of people outside your group to effectively run a security program. Being aloof and "untouchable" denies you the support you need. Support others when they need it, and they will support you when your job is on the line!

So, is it doable? It is, if you have a team. Personally, I would rather take technically qualified folks who are first and foremost team players and turn them into a high-performance team of security professionals than lead a group of security professionals who can't be a team.

Selling Security to the Board

What You Say What You Mean

We will make every effort to make security as transparent as possible to the users… …and therefore not impose further training burdens and a potential loss of productivity for our employees.

We will strive to reach the best and most cost-effective level of security possible with the resources available to us… …we know money is tight, and we feel your "executive pain."

Security must start at the top… …if the CEO has to change his password every three months and comply with corporate security policy, the New Hires shouldn’t feel too bad about doing it either…this will demonstrate leadership and a commitment to security from the senior management.

We will keep a clear, regular line of communication open and provide regular briefings to management and users on the effectiveness of the security program… …by doing so, you will feel better knowing where your money is going and that your company information is indeed safe from competitors. In addition, you will feel a sense of participation in the security program. Everyone wants to feel needed!

Conclusions

You have absorbed some "insider tips" on developing and maintaining a high-performance information security organization. It's not that difficult, really. You have been forewarned about the two basic challenges to your security program: Selling security to management, and selling security to users. Keeping "doability" in mind will facilitate both activities. Believe me, they are tough sales!

Evaluating the simplicity of your program will illuminate potential bottlenecks and barriers to successful security and awareness within your organization.

Protect your information resources armed with the knowledge of today and the foresight of tomorrow.

Previous page Back to top

	Developing a Sound Security Plan Conduct a "perception management analysis" to evaluate your security plan by clicking the links below. Does your information security program adhere to information security fundamentals? Is there support and management buy-in for your plan at all levels? Is it doable? How to sell security to the board

Take technically qualified folks who are first and foremost team players and turn them into a high-performance team of security professionals.