Focus is often not easily attainable in our profession. The needs of the organizations we protect are complex and the response required due to the criticality of the services we provide tends to put our multi-faceted operations in a state of flux. Add on increases in the threat environment, technology shifts and an explosion in size of threat surfaces, and your full-time job becomes chief prioritization officer.
There are many things we can do to drive our missions forward while we manage the process of our business protection evolution. The key to success is forward momentum. Any act that drives change, large or small, will help, starting with these three complacency fighting tactics.
Create controls assurance – Create a process to measure the suitability of your controls. Our programs are based on controls – but once implemented how often do we measure if they're effecting the change we planned?
Review the control, decide if it works as intended and make proactive decisions on whether to keep, remove and redistribute the operating cost to higher priority or change it.
Create urgency – Creating urgency is often mixed with the connotation of “selling security through fear.” These ideas could not be further apart. Urgency means that you've educated someone to facts that in turn drive action.
Have a vendor do a proof-of-concept with a new technology that provides insight into a specific gap in your security program. Lead a fact-gathering business analysis using graphical data flows, application access and data sprawl with your business customer to provide them with a visualization of the impact to their business. Finally, spend time with your team taking them through the downstream residual impact of the operations you provide and instill a sense of mission urgency.
Create momentum – Create momentum through action itself. To achieve this, create a list focusing on reducing risk and closing gaps in your environment. Site specific issues, how they impact the business, how a change would reduce the risk and offer solutions.
Next, create a critical asset protection program and put it to use to protect the crown jewels. Include steps to document assets, test, remediate and monitor using your existing resources when possible.
Being a good security practitioner means being a good business partner. The actions above demonstrate leadership, financial accountability, resource management and relationship management. But most importantly, they deliver actionable changes that increase the efficacy of our programs and get our business that much further up the maturity curve of protection.