Building a C+ Security Effort – 5 Tips to Achieve What Your Execs Want & Business Needs: Making the Security Grade

In today’s security landscape, it is clear that the challenges of the security discipline are growing at a rapid pace. From immature techniques for fixing security issues to a lack of available and experienced security resources to perform all of the required tasks. Of all these concerns, one of the most prevalent issues I have seen lately (with dramatic consequences, by the way) is the impact of many in security-craving to be A+ students in environments that are fine with a C+.

From locking that firewall down to the point of making it a brick wall, to supporting ridiculous regulations that try to trick you into implementing security panacea, to the vicious tenacity of the many security auditors out there with no implementation experience telling you how to implement by the book. Perhaps much of this “go-get-it-ness” (wow did Word spell checker light up with that word) in the end comes from the fact that in security we are all just like goalies in hockey or soccer, often playing a whole game flawlessly only to be judged as a failure for one momentary letdown or goal allowed past in the last minute. Security can be harsh like that, and I believe it is this fear of the last minute goal combined with a lack of maturity in the security discipline that have come together to create a perfect storm of security perfection addiction. This affliction is exemplified in conference rooms, board rooms, and beyond as “We must implement a perfect and flawless security effort at our organization all the time and every time.” And this would be great except for one thing: THIS IS NOT WHAT THE BUSINESS WANTS OR REALLY NEEDS.

In the end, security efforts that seek to implement an A+ security program are almost never implemented, being shot down by those with more political capital (almost everyone at an organization), often leaving an environment that is an A+ on paper or in design, but an F in terms of true implementation. If this sounds familiar, read on. It’s time to start fixing the situation.
This series will explore 5 tips to build a sustainable, repeatable & effective C+ security effort. One that can pass security audits, comply with regulations, while still maintaining a strong dose of practicality.

Time to go from F to C+, baby!

As always, please provide your feedback to Mike.Gentile@cisoshare.com or @MikeGentile03 on Twitter; I always read them.