The Four IT Security Principles: A Practical Guide to Improving Information Security

April 27, 2014
102 Views

ImageBelow are four principles to help you become a more effective IT security leader. While these principles won’t solve all your problems, if you practice them regularly, you can’t help but reduce risks and knock annoying security problems off your to-do lists.

Start a difficult information security task

ImageBelow are four principles to help you become a more effective IT security leader. While these principles won’t solve all your problems, if you practice them regularly, you can’t help but reduce risks and knock annoying security problems off your to-do lists.

Start a difficult information security task

Every IT security leader has a laundry list of items that need to be fixed in an organization to improve information security and lower risk. Some of these issues may instill a certain fear or anxiety in you that prevents you from taking that first step. You probably have a few scary items written on post it notes around your desk right now, so why are you waiting? It could be because you don’t like who you have to deal with to accomplish the task, or maybe it isn’t in your technology comfort zone, or….

Regardless of the reasons, the best security leaders face their fears head-on and pick up that phone, schedule that meeting or send that email NOW to initiate change rather than wait. What are you waiting for?

Start one nagging issues right now. I’ll wait…Know your stuff

In my personal opinion, there are way too many IT security professionals who don’t truly understand enough about technology. Many of the current leaders rose through a support role focused in one particular area, but never took the time or have the ability to learn another discipline.

Understanding all aspects of IT including networks, development languages, databases/queries, server configurations, Unix, Windows, etc. dramatically improves a security leader’s effectiveness. If nothing else, it allows you to speak to technologists in their terms. It also lets them know that they cannot make something up just to avoid implementing a security fix.

If you don’t get funding for big projects, fix security operations

All too often, IT security leaders use “lack of funding” as an excuse for why they haven’t done more to lower risks. Funding will always be an issue, but even if you do not receive funding to implement an identity and access management solution, DLP solution or any other project, there are considerable ways to improve information security just within day-to-day operations.

This is where having broad technical skills can help you truly become an effective IT security leader because it allows you to design and drive architecture improvements without massive project teams. Aside from technology, process improvements, process redesign, and lean operations can always be a focus. These areas should not require an official project.

Don’t accept excuses from matrix-managed teams

From performing risk assessments at a variety of organizations, I see a large number of organizations living with open vulnerabilities. They don’t follow best practices simply, because nobody stands up to the individual technology towers and effectively influences them to change.

With technology, anything is possible, so it is up to you to manage external teams effectively. I have found that change is easier when you take an educational approach to influence technologists. An IT security leader must help technologists understand why certain settings pose environment risks. It often helps to frame risks around technology and security changes over the years. This approach can deflect resistance based on historical reasons.

By applying these four principles to your information security management practices, you can lower risk and become a more effective IT leader with minimal change and without increased budgets. Give it a shot!