This article can also be found in the Premium Editorial Download "Information Security magazine: What's the best IT security advice you've ever received?."
Download it now to read this article plus other related content.
Vice president of Trustworthy Computing, Microsoft
Trust but verify.
Some of the best IT security advice I've received--trust but verify--can appear simple in principle, but is more complex in implementation. It wars with our instinct as humans to inherently trust each other. When I am asked for advice, I often tell people to put the business leaders, the legal counsel and the IT staff in the same room--each department will learn how it is dependent on the others.
Director of antivirus research, F-Secure Trust no one.
"Trust no one," says X-Files character Fox Mulder.
Ultimately, we all have to take responsibility for our actions, and we can rely only on ourselves to get that done.
CISO, Port of Seattle
Look at the whole picture.
Probably the best security advice I ever re-ceived was from my good friend and co-worker Kirk Bailey (CISO, University of Washington, and former CISO, City of Seattle): Try to stay at a strategic or high level to ensure that you look at the entire picture before making a security policy, procedure or decision. And, always be ethical and do the right thing.
Senior strategic research and policy analyst, Office of the Privacy Commissioner of Canada
Understand business requirements.
Before you do anything else, make sure you understand your
Everything that a security consultant or a member of the security staff does--risk assessment, security architecture, policy and standards, safeguard selection, education and awareness--should be aimed at en-abling, supporting, protecting, recovering and restoring business requirements and operations.
Without a clear understanding of these principles, there's a significant chance that you will either forget to address a particular aspect of security, or that the security that is implemented will be inappropriate.
CSO, George Washington University
You get what you pay for.
A few years ago, I had the honor and pleasure of having lunch with Dorothy Denning right before she left Georgetown and moved to California.
She gave me some very good advice: Don't stress about the things you cannot change, and focus on the areas where you can make a positive impact. You can't force change--the culture has to be ready to change.
She also told me that, many times, the adage "you get what you pay for" is true: Organizations that want the best security professionals better be willing to attract, pay and retain them. There are so few of us, and we are hot property right now.
Director of information security and privacy, The Washington Post Company
Humor can help your image.
Never lose your sense of humor. This isn't to say that there is anything humorous about security incidents; but, if you can get your message across with humor, people often remember it.
Information security professionals can be perceived as intimidating, and humor helps do away with the "bad guy" persona.
Vice president, security business and technology unit, Microsoft
Isolation and protection are key.
You need to assume that other people may be trying to attack you, even if you don't think they have a reason. I am a big believer in isolation, which is why I always use a firewall whenever I connect to the Internet.
The next thing I do is get my system up-to-date and protected by antivirus and antispyware software. I always carry a USB disk with Windows XP SP2 and Microsoft Anti-Spyware Beta One, and I install them for all of my friends and family who don't already have them.
Learn how to sell your ideas.
Seven or eight years ago, I attended a dinner seminar put on by a local security consulting boutique that was focused on marketing security. The event was one of the best I've ever attended in terms of the interaction between attendees and the presenters, and I came away feeling that my time was well spent.
The fundamental point was that security practitioners need to learn how to sell their ideas. One of the keys to accomplishing this is understanding the perspective of those to whom the ideas are being directed. In other words, market to the business people who hold the purse strings, and frame the messages in terms they can relate to.
Too often, we, as security practitioners, lapse into geek-speak and then fault our listeners for "not getting it." Whether you're pitching the need to fund security projects to business people, or convincing a child of the need to wear a helmet when bicycling, you need to put things in terms the listener can understand. Beyond understanding, you want the listener to actually like the idea. The more they like it, the more sure the sale.
Get inside the listener's head. Figure out what his hot buttons are and leverage them. Spend a little time getting to know your audience, establish some trust and build your credibility by showing that you understand the issues. Point out that you have shared goals, and then provide some alternatives on how you can work together to achieve them.
Securing information systems requires the participation and cooperation of a lot of people. You'll never manage it on your own, and that's why it's critically important that you capture mindshare and involve others in your security agenda. Start marketing now and build those key relationships so that, when the time comes, you're able to sell your ideas and gain that much-needed support for your security initiatives.
This was first published in August 2005