Building a C+ Security Effort – 5 Tips to Achieve What Your Execs Want & Your Business Needs: Don’t Ask, Just Know
This series will explore 5 tips to build a sustainable, repeatable & effective C+ security effort. One that can pass security audits, comply with regulations, while still maintaining a strong dose of practicality. Time to go from F to C+, baby!
Tip #3: Don’t Ask, Just Know
So if you buy into what I am saying, then you should just start throwing the “C+” word and concept around everywhere in your organization. Uhhh, yeah right! Just as nobody wants to claim they are a C+ student in life or anything else, your management will never vocally support a C+ benchmark. They will still always claim how diligent the organization will be at security as if the organization is wearing a cape with “A+ at Security” in bright letters on the back.
Of course what is said in a conference room at an organization and the actions of leadership and staff are two different things. The problem is there is nothing wrong with being a C+ security professional, it is simply taboo to call it that. So the tip here is to design the C+ approach in terms of practicality and simplicity, just don’t call it that. Also, your leadership will get it, though they are never going to tell you they do. In fact, they will more than get it; it will be refreshing for them because most are downright fed up with how the security profession has been leading the charge to implement security in a manner that is just not practical. They have already gone through the “HIPAA scare of the early 2000’s” and they just don’t buy the hype anymore.
As always, please provide your feedback to Mike.Gentile@cisoshare.com or @MikeGentile03 on Twitter; I always read them.
Read Part 1: Making the Security Grade
Read Part 2: You Only Need an A+ Security Posture if a Life is at Stake
Read Part 3: Do Not Only Consider Security Risk in Your Security Effort