These are some of the things we came up with.
- Consistent, regular, targetted communication is important. “Targeted” as in speaking the executive language to the execs, and technical language to techies.
- Sometimes a grown-up with a customer-service orientation and an MBA who is also technical is an asset.
- Hold security forums aimed at the security people plus everyone else.
- Demonstrations of what can happen — in a controlled, demo environment — are useful.
- Build community. The security staff should know people and be known by them.
- Face-to-face, one-on-ones break down walls between countries, organizations, and levels in an organization.
- Before any changes: educate, educate, educate, and warn that they are coming.
- Keeping up with the change, maintaining a gradual improvement in the security posture is often just fine (i.e., good enough).
- “Old school” security management — “Because I said so” — just does not work anymore.
- Ask “what makes sense in our environment and our corporate culture?”
- Remember, those in power — and maybe others — may always ask, “But, why?” Or, “Prove it to me.” Or, Which government regulation?”
- Ba patient, wait for the business case, take it one step at a time. But, stay the course, and stick to the plan.
- Oh, yeah. Plan.
- Sometimes the user is his/her own worst enemy. He/she doesn’t need another.
- Concentrate on protecting your most important assets. Do the best you can with the rest.
No comments:
Post a Comment