Manage

What are the top five concepts or lessons on security management?

Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of.

Mike Rothman, Securosis

If you could make business/executive management more aware about five concepts or lessons on security, what would they be?

Getting it down to 5 is really hard, but here goes:

Security is a journey, not a destination: Executives need to understand that security is never done. If a new user or application or trading partner has been introduced to the organization, then new risks have been introduced as well. Security is not a box that can be checked. That is probably the most important concept to convey.

Nobody can protect what's important, unless it's been made clear exactly what is important. Security is not generic. It's important not to treat every system and asset the same. Some stuff is important and should be protected at all costs. Some stuff isn't, and therefore resources shouldn't be expended to protect it. The executive managers have to decide what's important, and they need to tell the security team. Help them understand the choices they need to make.

Compliance is not the goal of information security. This is related to No. 1, but important in its own right because many executives believe that once they get the compliance stamp from an annual audit, they don't need to think about security anymore. Being compliant does not mean the organization is secure. That's extremely important to get across.

The users are the weakest links. The reality is that many serious data breaches are caused by human error and are not intentional. That means it's still important to train users on a continual basis about what they can and can't do.

Incidents are going to happen. There is no way around it: EVERY organization will eventually be faced with an information security incident. Many executives freak out when incidents occur, and that's because the security team has done a poor job of managing expectations. The important part is how well the organization recovers. How much data was lost? What are the ramifications? Help the executives understand the need for a formal response plan, because having one in place when the inevitable happens will make it much easier to deal with.

More information:

Read more about getting information security buy-in from the executive team.
Learn more best practices in security program management from NIST.

This was last published in June 2008

Dig Deeper on Information security program management

How important is security awareness training for executives? Corporate executives are prime targets for spies and hackers, and that is why security awareness training for executives is so important.

Breach awareness low among executives, CA Veracode survey says According to a new survey from CA Veracode, breach awareness regarding recent major cyber incidents was low among executives, managers and directors, surprising some experts.

Equifax breach claims another scalp The CEO of Equifax has stepped down – the third executive to leave the company after it disclosed a massive data breach

C-suite executives confused about cyber attacks, survey shows Key executives need to be more engaged with CISOs beyond planning for security, and take a more active role, according to an IBM study

How should CSIRTs respond to email extortion schemes? The 2014 Sony Pictures hack highlights the importance of responding appropriately to email extortion. Learn what steps executives should take to best manage the situation.

Why is the CISO role necessary to enterprises? A chief information security officer is becoming a necessity to organizations. Expert Mike O. Villegas explains why and how to communicate this need to other executives.

Related Q&A from Mike Rothman

What are the roles and responsibilities of a liaison officer?

While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading

What's the best career path to get CISSP certified?

The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading

What is the GISP certification and how does it compare to the CISSP certification?

In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

McAfee launches security tool Mvision Cloud for Containers

Cloud security posture management, container images vulnerability scanning and DevOps integration are among features included in ...

How to implement zero-trust cloud security

The nature of cloud environments and workloads is changing. Security team approaches must evolve in response. Learn how to ...

AWS Access Analyzer aims to limit S3 bucket exposures

Amazon Web Services introduced the Access Analyzer tool at its re:Invent event. The new option aims to help users avoid ...

SearchNetworking

Consider these 5 FAQs for network monitoring best practices

New technologies are transforming how organizations plan network management and monitoring, introducing questions about legacy ...

Cisco's Silicon One networking chip targets cloud data centers

Cisco's Silicon One chip launch demonstrates a willingness to embrace white box routers in the hyperscale data centers of cloud ...

7 factors to consider in network redundancy design

Network pros have multiple factors to consider when it comes to adding redundancy in network design, including network equipment,...

SearchCIO

Transforming operations for successful cloud adoption

Still considering making the move to the cloud? Here are best practices and cloud-centric processes CIOs should follow to enable ...

IT workforce skews younger, says analysis of US data

The IT workforce is getting younger, according to government IT workforce data. The reasons for this are subject to a debate that...

Top edge computing trends to watch in 2020

Edge computing is still an evolving technology domain and enterprises should expect continued evolution in the year ahead. Here ...

SearchEnterpriseDesktop

How to shut down and restart a remote computer

Shutting down or restarting a computer remotely is often a necessary process. Explore the multiple ways to do so, using methods ...

Setting up Windows 10 kiosk mode with 4 different methods

For desktop admins, setting up Windows 10 kiosk mode can be a confusing process. IT should learn these four methods and choose ...

Microsoft extends Office 365 benefit to nonprofit volunteers

Thursday's announcement extends the company's September offering of 10 free Microsoft 365 Business licenses for nonprofits' ...

SearchCloudComputing

The future of the Kubernetes ecosystem isn't all about cloud

Developers still lean on the public cloud to simplify Kubernetes deployments, but that won't always be the case. See how ...

Evaluate general and niche cloud service use cases

Can't decide between a niche cloud provider or a hyperscaler? Review some real-world examples to help weigh the options and find ...

Compare niche cloud services to the hyperscale offerings

Consider your enterprise's specific needs when choosing between niche clouds and hyperscale clouds. Here's an overview of what ...

ComputerWeekly.com

Alarm bells ring, the IoT is listening

With Christmas bearing down on us, a series of vulnerability disclosures has drawn attention to the parlous state of IoT security...

New government faces calls to urgently deliver on pre-election pledge to review IR35 reforms

Contracting groups and trade associations say prime minister Boris Johnson must deliver on his party’s pledge to review the IR35 ...

Future fashion: does that dress come in digital?

A visit to a technology-fuelled fashion pop-up paints a picture of a world where retailers and brands sell virtual clothes for ...

What are the top five concepts or lessons on security management?

Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of.

Dig Deeper on Information security program management

Related Q&A from Mike Rothman

What are the roles and responsibilities of a liaison officer?

What's the best career path to get CISSP certified?

What is the GISP certification and how does it compare to the CISSP certification?

Have a question for an expert?

Join the conversation

1 comment

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

McAfee launches security tool Mvision Cloud for Containers

How to implement zero-trust cloud security

AWS Access Analyzer aims to limit S3 bucket exposures

SearchNetworking

Consider these 5 FAQs for network monitoring best practices

Cisco's Silicon One networking chip targets cloud data centers

7 factors to consider in network redundancy design

SearchCIO

Transforming operations for successful cloud adoption

IT workforce skews younger, says analysis of US data

Top edge computing trends to watch in 2020

SearchEnterpriseDesktop

How to shut down and restart a remote computer

Setting up Windows 10 kiosk mode with 4 different methods

Microsoft extends Office 365 benefit to nonprofit volunteers

SearchCloudComputing

The future of the Kubernetes ecosystem isn't all about cloud

Evaluate general and niche cloud service use cases

Compare niche cloud services to the hyperscale offerings

ComputerWeekly.com

Alarm bells ring, the IoT is listening

New government faces calls to urgently deliver on pre-election pledge to review IR35 reforms

Future fashion: does that dress come in digital?

Dig Deeper on Information security program management

Related Q&A from Mike Rothman

Have a question for an expert?

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.