Information Security is the dark horse, the elephant in the corner, the distant cousin that no one really talks about at reunions. Everyone knows it exists but no one really wants to talk about it and fewer really know about it. In the coming months and years technology security in general will be brought to the front of the line and be an expected aspect of all this technology we are surrounding ourselves with. It’s not a question on if it will but when and how fast it will be mandated at every level from your customers, CEOs and government regulators.
Security is a tricky beast. For decades security as been assumed to be a function of IT and for a while it worked out that it was. Then the Internet came and the IT world became everyone’s world and control was no longer in the hands of the weird guys in the basement working on the mainframes. Global connectivity changed the way we conduct business but the security practices didn’t adapt to the Enterprise need quickly enough.
Now as security becomes front and center organizations are scrambling to roll-out all kinds of security initiatives with varying success. There are many ways to succeed but there are also many ways to stall and fail at a security initiative. Here is a compiled list of ten pitfalls to look out for in a security initiative. One thing to remember that even though security is rooted in technology it is a practice of the business.
In no particular order:
- Focusing on technology before the business processes – Security is a practice of processes supported by technology. Regardless if the solution is 100% technology driven, unless you have the business processes around it well defined the technology will only go so far. There is no magic security switch and never will be, no piece of software or hardware will solve your problems for you they only help you to close that gap. You need to define the rest.
- Automating bad process – Automation can reduce workload but only if the process being automated is defined and works to begin with.
- Having an unsupportable infrastructure – Out of support OS, behind on patched, old hardware, etc… it’s a constant balance of maintenance and advancement. Security is dependent on supporting components, let one fall behind can make any new security initiative moot.
- Lack of a roadmap – Plan, plan, plan. Look ahead. Phases, milestone, where are you going and how will you get there. Installing the software does nothing if you don’t know where you are taking it.
- Lack of executive sponsorship – Enterprise security is call that because it impact the entire enterprise. Unless you have executive support from the top down you will find departments will resist and reject and changes your security initiative will introduce. Unless your security department has the wide respect and influence (I bet you don’t) you won’t get support unless the message comes from above.
- Treating security like a project and not a program – If you think security is like a dev project or IT installation then you will not get very far. Projects have end dates, security is a practice that is constantly moving, adapting and growing. Like a program.
- Too much, too soon – Don’t ‘boil the ocean’. Change is good but too much change too fast will be sloppy, error prone and have more push back than easing things in.
- Not managing expectations for dollars – Don’t succumb to ‘brochure buzzwords‘. Be realistic, fall back to your roadmap and milestones to properly set expectations on the deliverable. You do want budget for your next initiative, right?
- Wrong team – I see this more often than not, the wrong skill sets on the team. It’s OK to shuffle people around or push for extensive training on your employees. Keeping the wrong people driving or on the team longer than necessary only hurts everyone.
- Poor architecture – You can design yourself into a breach. Security is end to end, focus on the enterprise picture and let the pieces fall into place properly.
Of course this is just some of the pitfalls that you can run into. I left out all the internal politics, training, awareness, budget, threats, risks beyond the technology… all that comes after you get something in place. Another time to talk about that.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.