- Andrew Briney
Do you see the glass as half empty or half full? My guess is most of you said, "half empty." In most areas of life, that's a bad thing (just ask your spouse).
But when it comes to managing enterprise security, it's a natural -- even expected -- part of the job.
There's a lot about security that's inherently negative. The measure of security's success isn't when something good happens, but when nothing bad happens. Even the prototypical image of the security professional is largely negative. Essential qualities include paranoia, cynicism and suspiciousness.
You're taught to take nothing at face value and always assume the worst. You frequently use scary stories and warnings of dire consequences to motivate change. And when your coworkers see you strolling down the hall, their reaction is usually something along the lines of, "Uh oh, what did I do this time?"
Under this shroud of negativity, it's easy to overlook all the positive ways security is changing the fundamental landscape of business and government. That's why this issue of Information Security celebrates the "best" of the "4 P's" of security: People, Policy, Process and Product.
Why the 4 P's? Simple. Diversity is what makes IT security unique among technical and business disciplines. Most technical disciplines -- networking, data management, application development -- are focused on product and process.
Traditional business disciplines -- administration, HR, finance -- are focused on people and the application of policy. On any organization's road map, security lies at the intersection between business and technology. It's the security manager's job to translate high-level risk management policy into practical, actionable process; to make intelligent product purchases and implement them effectively; and to make employees accountable for their security actions.
The word "diversity" also characterizes our coverage of the best of infosecurity's 4 P's. From more than 340 nominations, we selected nearly three-dozen examples of leading infosecurity programs, projects and practices, and the people behind them.
You may not recognize many of the people profiled in this issue, and that's intentional. We wanted to uncover and celebrate some of the unsung heroes of infosecurity in all professional pursuits. These security pros are working behind the scenes to revolutionize approaches to infosecurity and revitalize the way security gets done.
Our coverage of best policies ranges from federal legislation to industry-specific best practices to benchmark security configurations to best internal corporate security training programs. Creating and institutionalizing a security policy is a difficult -- and thankless -- job. It's said that imitation is the sincerest form of flattery, and many of the programs we profile here could be modeled in your own organization.
By definition, the process of security is ever changing. As business and technical requirements change, a process that worked yesterday may not work today. Flexibility and resilience are the hallmarks of successful security process, and the processes we detail here have one thing in common: they remain effective amidst the constant swirl of change.
Choosing the best security products was difficult. Among other criteria, we were guided by the notion that products should be a means to an end. Technology should be thought of as a context: it's not the product that makes or breaks your security, but the way you use it. The tools we profile here -- both commercial and freeware -- are examples of how products can make a difference in security given the proper context.
Selecting the "best" across the 4 P's was clearly a subjective process. At the end of the day, not everyone will agree with our picks. Some will say, "How could you have missed X?"
Our list isn't intended to be comprehensive. Individually and collectively, the selections are intended to provide you with examples of positive change in infosecurity -- programs, activities and ways of thinking that you can emulate in your organizations.
I look forward to your feedback.
About the author:
Andrew Briney, CISSP, is editorial director of Information Security.