There are many challenges to getting a cybersecurity program right. The right technology must be deployed, managed, and tuned just right, CISOs and security managers must be able to get the necessary executive support and budget to execute on their plans, and their plans have to be well crafted. Not to forget that nearly everyone in the organization has to be security conscious and savvy, or nearly any organization is one phishing-attack click away from compromise.
Security managers (and entire team for that matter), don’t need to make enemies of themselves. But they often do, and they end up setting back their own efforts as a result. With that in mind, here are seven common ways IT security sabotages its own efforts.
The Road-blocker: This is the security manager that has turned the CISO office into the “Office of No.” No wireless. No cloud. No worker is to use the mobile devices of their choice. It’s the best known way to lose friends and influence over business teams. The better way: help departments achieve what they want, while minimizing risks or finding acceptable compromises.
The Fear-monger: This security manager has never heard a threat he/she couldn’t help but warn executives and business users about. Every new virus, worm, and breach headline is e-mailed out as a warning. This security pro has several slides in every presentation crammed with breach news headlines and big scary malware statistics. The problem: The warnings eventually become ignored. Use real-world risk when appropriate to build your business case and don’t overdo it.
The Money-Thrower: There’s no problem money can’t solve. Effective security is about throwing as much technology and people at the problem as possible. The problem with this approach – especially in these days of tight budgets – is that every IT pro needs to be able to do more with less — IT security included. Focus on the risks that matter.
The Whiner: If only the security budget was bigger. If only the end users weren't so naive. If only the executives understood security. The problem with whiners is that they often don’t realize they are their own worst enemy and have failed to properly explain the IT security risks to all stakeholders.
The Button-pusher: To this security manager, there’s not a security challenge a new technology can’t solve. Need better application security, deploy a WAF. Need better network security, install the latest firewall. Want secure mobile devices, buy licenses for mobile anti-malware. While new technologies are necessary, they shouldn’t be the default position, and the dependence on technology defenses alone shouldn’t be too high.
The Jargon Speaker: Business leaders aren’t persuaded by security lingo and couldn’t care less about the different between SQL-injection attacks and privilege escalation. What they do care about: the database is at risk and needs to be mitigated to protect customer data and maintain regulatory compliance.
The Isolationist: This is the security manager who doesn’t listen to the actual business side of discussions. He/she doesn’t try to learn the unique challenges of operations teams and business managers. Secure is secure. Period. The context of risk decisions don’t matter, depending on the business case or industry. This attitude is the road to irrelevance.