When
Check your philosophy, outlook and attitude at least annually.
Why
An optimistic yet prepared security manager is priceless.
Strategy
In no particular order, here's what I've learned over 18 years practicing security in both industry and government:
1. You're already behind the day you begin -- don't dwell on it -- just figure out what's most important to do first:
a. You will never have enough money, time, hardware, software, talent or people. Revisit Week 21: Risk Assessment ---Steps 1 and 2.
b. You will always have the classic security dilemma: If nothing happens, is it because security was effective, or no one bothered with your stuff? Explaining this to management will be tough, be prepared by having all of your security ducks in a row.
2. Attend training at least twice a year; make it part of your hiring requirements, or pay for it yourself if your organization won't.
3. Learn what input you have into the budget, and plan accordingly.
4. Stress comes from knowing you don't know something, and being afraid of fallout from that lack of information -- figure out what you don't know and learn it. Revisit Week 7: Training Yourself and Your IT Staff for more ideas. And don't buy a book on the subject, buy one that has a survey of related subjects in it, so the one you're interested in is just a chapter. It will give you the overview you need.
5. Make sure any legal counsel retained by your organization has a clear and thorough understanding of cyberlaw issues, including overseas privacy laws if your company does Web-enabled financial transactions.
6. Remember you do not own the systems or the data -- you are simply responsible for keeping it safe.
7. Ensure the security department is positioned correctly in the hierarchy for minimum layers to the top and maximum policy enforcement.
a. Find out if you are personally liable if the company is charged with an offense
b. Ensure management backs your department financially, and supports you legally, in writing, if not, be prepared to leave the company.
8. "Try it for 90 days." If you have to introduce an unpopular practice, use this method to ease the grumbling and to promote it. Given human nature, everyone will be used to it by then and not care anymore, or it will be so unpopular, management will be willing to assume the risk for not implementing it.
9. Be seen around the organization. A lot. It makes you approachable, and makes security less onerous if people realize a real person is behind the position.
10. Time management is critical to success, and sanity:
a. Delegate -- the time it takes to train someone to help you will pay for itself 10 times
b. Recognize when to subcontract for short-term projects or long-term staffing help
c. Limit your "information channels" to five. By this I mean limit your subscriptions, updates your auto e-mails, etc., to five groups/subscriptions you like. Information sharing in the security industry will ensure you hear about what you need to know.
More information
Inside your head and heart, and your colleagues.
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
