Security and Relationship

At the faculty-led round-table discussion at the recent Mid-Atlantic Network Security Forum, my discussion topic was “Keeping your sanity while positively influencing your enterprise security posture” (or maybe it was a bit less wordy).

These are some of the things we came up with.
  • Consistent, regular, targetted communication is important. “Targeted” as in speaking the executive language to the execs, and technical language to techies.
  • Sometimes a grown-up with a customer-service orientation and an MBA who is also technical is an asset.
  • Hold security forums aimed at the security people plus everyone else.
  • Demonstrations of what can happen — in a controlled, demo environment — are useful.
  • Build community. The security staff should know people and be known by them.
  • Face-to-face, one-on-ones break down walls between countries, organizations, and levels in an organization.
  • Before any changes: educate, educate, educate, and warn that they are coming.
  • Keeping up with the change, maintaining a gradual improvement in the security posture is often just fine (i.e., good enough).
  • “Old school” security management — “Because I said so” — just does not work anymore.
  • Ask “what makes sense in our environment and our corporate culture?”
  • Remember, those in power — and maybe others — may always ask, “But, why?” Or, “Prove it to me.” Or, Which government regulation?”
  • Ba patient, wait for the business case, take it one step at a time. But, stay the course, and stick to the plan.
  • Oh, yeah. Plan.
  • Sometimes the user is his/her own worst enemy. He/she doesn’t need another.
  • Concentrate on protecting your most important assets. Do the best you can with the rest.
In addition to these things, remember my blog Seven Things to Help Keep Sanity and Equilibrium.

No comments: