As technology evolves, lessons come and go -- some are the same no matter how much time has passed, and some are unique to the technology-employed. The security industry has been on an exponential curve since 1985, the year the Orange book (Department of Defense Trusted Computer System Evaluation Criteria) was first published. The Orange Book indicated the government recognized the growth of computer systems and their associated security implications. I wonder if they knew how right they were going to be, not only for them, but also for consumers.
One of the things I've found when teaching about information security is that people want to know what you've learned that can't be found in a typical technical book. Technical solutions are everywhere but what security practitioners hunger for are solutions, ideas, coping mechanisms and adapting techniques that aren't in books. Sure, people have asked me for technical advice, but I believe even more have asked me for advice of a non-technical nature -- how to handle a certain situation, career advice, training paths and so on. I think it's time we help each other with what we've learned over the years. I want to know this from you: What are the top three lessons you've learned practicing security? And why? I'm going to gather all of the responses from people through as many venues as I can (e-mail, conferences, word-of-mouth), organize the material, and publish it periodically in Security Wire Perspectives and ultimately as a
Here's what I'll need:
-What are the top three lessons you've learned practicing security? Try to keep each lesson to less than 200 words
-Briefly describe the situation and note the result
-Explain the lesson learned
-Summarize how that lesson affects what you do or don't do today
Please provide the following information at the end of each of your three lessons learned in your note:
-How long you'd been in security when it happened
-Approximate year the lesson took place
-Name, position/title and name and location of the company you're currently with
-Contact phone number and e-mail address
-Whether you'd like your personal information withheld.
Please note that I must have your contact information for verification and questions about your text, but you can ask that it be withheld. If you do not provide the contact information, I cannot legally use it. In exchange for sending me this information and helping me write the book, I will send you a free copy when it's published.
Please send your information via e-mail to SecurityLessonsLearned@techtarget.com.
It's been a pleasure writing this column; I hope it's helped you. Have a great security planning year!
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in December 2004