Manage

What are the top five concepts or lessons on security management?

Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of.

Mike Rothman, Securosis

If you could make business/executive management more aware about five concepts or lessons on security, what would they be?

Getting it down to 5 is really hard, but here goes:

Security is a journey, not a destination: Executives need to understand that security is never done. If a new user or application or trading partner has been introduced to the organization, then new risks have been introduced as well. Security is not a box that can be checked. That is probably the most important concept to convey.

Nobody can protect what's important, unless it's been made clear exactly what is important. Security is not generic. It's important not to treat every system and asset the same. Some stuff is important and should be protected at all costs. Some stuff isn't, and therefore resources shouldn't be expended to protect it. The executive managers have to decide what's important, and they need to tell the security team. Help them understand the choices they need to make.

Compliance is not the goal of information security. This is related to No. 1, but important in its own right because many executives believe that once they get the compliance stamp from an annual audit, they don't need to think about security anymore. Being compliant does not mean the organization is secure. That's extremely important to get across.

The users are the weakest links. The reality is that many serious data breaches are caused by human error and are not intentional. That means it's still important to train users on a continual basis about what they can and can't do.

Incidents are going to happen. There is no way around it: EVERY organization will eventually be faced with an information security incident. Many executives freak out when incidents occur, and that's because the security team has done a poor job of managing expectations. The important part is how well the organization recovers. How much data was lost? What are the ramifications? Help the executives understand the need for a formal response plan, because having one in place when the inevitable happens will make it much easier to deal with.

More information:

Read more about getting information security buy-in from the executive team.
Learn more best practices in security program management from NIST.

This was last published in June 2008

Dig Deeper on Information security program management

Related Q&A from Mike Rothman

How to prevent software piracy

Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading

What are the roles and responsibilities of a liaison officer?

While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading

What's the best career path to get CISSP certified?

The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading

SearchCloudSecurity

Top 6 cloud security analytics use cases

Security analytics use cases vary from fraud detection to threat intelligence analysis. Learn how deploying this technology in ...

McAfee: Attacks on cloud accounts up 630% during COVID-19

Between January and April amid the COVID-19 pandemic, McAfee found usage of cloud collaboration apps and attacks seeking to steal...

Use these CCSK practice questions to prep for the exam

Virtualization and container security are key topics in the Certificate of Cloud Security Knowledge credential. Test your ...

SearchNetworking

5 principles of the network change management process

Network change management includes five basic principles, including risk analysis and peer review. These best practices can help ...

Small vendors that stand out in network automation

When incumbent vendors fall short, enterprises should consider these small vendors for new approaches to analytics and network ...

Top 5 VPN myths and misconceptions for IT organizations

Although VPN technology has its challenges, various misconceptions exist that can muddle IT teams' understandings of VPNs. Here ...

SearchCIO

Top 2020 IT priorities hold fast amid COVID-19; spending takes hit

The biggest IT spending drivers from TechTarget's 2020 IT Priorities Survey remain relevant amid the COVID-19 pandemic, although ...

How CIOs can combat the IT talent shortage

Research shows organizations are still struggling to bring in IT talent. We identify the reasons why there's a shortage and what ...

How companies can ensure success working from home

Analyst Andrew Hewitt explains how companies have adjusted to remote work, what they need to be effective now and what to ...

SearchEnterpriseDesktop

How SCIM can automate user provisioning

Using SCIM allows users to access resources within unrelated partner environments automatically without organizations needing to ...

Manufacturer turns to micro apps to save time

An electronics manufacturer is in the planning stages of implementing micro apps in Citrix Workspace in the hopes of saving time ...

End-user productivity becomes a priority for remote work

The initial response to COVID-19 focused on purchasing new technologies and retooling systems to support work from home, but ...

SearchCloudComputing

Identify the Google Cloud developer tools you need

Developers want more from their cloud than APIs and services; they want tools to accelerate and improve the app dev lifecycle. ...

Compare the 3 types of private cloud

Private cloud isn't on-prem computing, but it can be. And on-prem IT isn't private cloud, but it can be. IT teams have many ...

How to deploy Terraform code in an Azure DevOps pipeline

Automation in the cloud will not only make you move faster, it will do so in an efficient way. Learn how to create an Azure ...

ComputerWeekly.com

BCS calls for computer coding in scientific research to be more professional

BCS position paper finds the software coding practices of non-computer-science scientists to be insufficiently professional

Revealed: Surveillance camera network that covered Dominic Cummings’ lockdown travel

A network of automatic number plate recognition and local authority traffic cameras could help police track Downing Street chief ...

Coronavirus: CIOs should consider a new desktop IT strategy

Although the Covid-19 lockdown is easing, office life will not return to normal any time soon, and few will be buying new PCs

What are the top five concepts or lessons on security management?

Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of.

Dig Deeper on Information security program management

Channel roundup: Who’s gone where?

How important is security awareness training for executives?

Breach awareness low among executives, CA Veracode survey says

Equifax breach claims another scalp

Related Q&A from Mike Rothman

How to prevent software piracy

What are the roles and responsibilities of a liaison officer?

What's the best career path to get CISSP certified?

Join the conversation

1 comment

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

Top 6 cloud security analytics use cases

McAfee: Attacks on cloud accounts up 630% during COVID-19

Use these CCSK practice questions to prep for the exam

SearchNetworking

5 principles of the network change management process

Small vendors that stand out in network automation

Top 5 VPN myths and misconceptions for IT organizations

SearchCIO

Top 2020 IT priorities hold fast amid COVID-19; spending takes hit

How CIOs can combat the IT talent shortage

How companies can ensure success working from home

SearchEnterpriseDesktop

How SCIM can automate user provisioning

Manufacturer turns to micro apps to save time

End-user productivity becomes a priority for remote work

SearchCloudComputing

Identify the Google Cloud developer tools you need

Compare the 3 types of private cloud

How to deploy Terraform code in an Azure DevOps pipeline

ComputerWeekly.com

BCS calls for computer coding in scientific research to be more professional

Revealed: Surveillance camera network that covered Dominic Cummings’ lockdown travel

Coronavirus: CIOs should consider a new desktop IT strategy

Dig Deeper on Information security program management

Channel roundup: Who’s gone where?

How important is security awareness training for executives?

Breach awareness low among executives, CA Veracode survey says

Equifax breach claims another scalp

Related Q&A from Mike Rothman

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.