Answer

What are the top five concepts or lessons on security management?

Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of.

Mike Rothman, Securosis

If you could make business/executive management more aware about five concepts or lessons on security, what would they be?

Getting it down to 5 is really hard, but here goes:

Security is a journey, not a destination: Executives need to understand that security is never done. If a new user or application or trading partner has been introduced to the organization, then new risks have been introduced as well. Security is not a box that can be checked. That is probably the most important concept to convey.

Nobody can protect what's important, unless it's been made clear exactly what is important. Security is not generic. It's important not to treat every system and asset the same. Some stuff is important and should be protected at all costs. Some stuff isn't, and therefore resources shouldn't be expended to protect it. The executive managers have to decide what's important, and they need to tell the security team. Help them understand the choices they need to make.

Compliance is not the goal of information security. This is related to No. 1, but important in its own right because many executives believe that once they get the compliance stamp from an annual audit, they don't need to think about security anymore. Being compliant does not mean the organization is secure. That's extremely important to get across.

The users are the weakest links. The reality is that many serious data breaches are caused by human error and are not intentional. That means it's still important to train users on a continual basis about what they can and can't do.

Incidents are going to happen. There is no way around it: EVERY organization will eventually be faced with an information security incident. Many executives freak out when incidents occur, and that's because the security team has done a poor job of managing expectations. The important part is how well the organization recovers. How much data was lost? What are the ramifications? Help the executives understand the need for a formal response plan, because having one in place when the inevitable happens will make it much easier to deal with.

More information:

Read more about getting information security buy-in from the executive team.
Learn more best practices in security program management from NIST.

This was last published in June 2008

Dig Deeper on Information security program management

Related Q&A from Mike Rothman

How to prevent software piracy

Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading

What are the roles and responsibilities of a liaison officer?

While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading

What's the best career path to get CISSP certified?

The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading

What are the top five concepts or lessons on security management?

Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of.

Dig Deeper on Information security program management

CSO (Chief Security Officer)

5 ways bad incident response plans can help threat actors

Biden beefs up public-private security cooperation

Channel roundup: Who’s gone where?