Security from Scratch: Defining Success
â€œIn all things, success depends upon previous preparation, and without such preparation there is sure to be failure.â€ â€“ Confucius
In doing some background reading for this post I went to The Security Catalyst home page and did a search for â€œsuccessâ€.Â While I expected to find some stellar articles across the information security spectrum from fellow contributors like Jim McFee, Trish Smith, Ioana Justus, and others, I noticed something else â€“ a ton of numbered lists.
While anecdotal, this was significant to me because a large number of these articles are how-tos regarding specific topics. The numbered lists found often represent prioritized goals â€“ clear definitions of success created for you by experts in their field. When you find a consistency in approach across a multitude of people who are good at what they do, you should sit up and take notice. Defining success is also the first step of The Catalyst Foundation Seriesâ„¢.
Success in general can be a nebulous, subjective thing to define. Even within the context of an information security/risk management program, there are going to be many influences â€“ people and circumstances â€“ available to â€œhelpâ€ you out. Here are some examples:
- If a company has had a recent breach, there may be a lot of pressure to focus on preventing a reoccurrence
- Upper management, legal, HR, etc. may be very interested in defining success within information security around things like compliance, litigation, incident management, etc. â€“ especially if any of those are current/ongoing efforts
- Sysadmins might be interested in a focus on locking down various hardware assets, etc.
In setting up a security program from scratch, here are some thoughts to help prioritize those things, which is paramount in defining your success:
Listen to as many people as possible.
Try to have as much information as possible in order to have as comprehensive a list of items as possible
Clarify ambiguity â€“ make your tasks as discrete as possible.
For example, having a goal ofÂ â€œachieving [insert compliance acronym here] complianceâ€ may be a laudable goal, but itâ€™s useless without a clear picture of what that actually means. Where are your gaps? To what specific tasks do those tasks translate to close those gaps?
Strive for balance.
The primary goal is to protect assets while allowing the organization to run as smoothly and optimally as possible. Keeping that whole goal in mind will help define success in a way that would most likely be different if there was more focus on only protecting assets, or on only â€œstaying out of the wayâ€.
Let your conscience be your guide.
In getting the lay of the land while creating security from scratch, there is a good chance of coming across things that were â€œbrushed under the rug.â€ Some of these may be innocuous items that can be put off until later, but other things, when assessed honestly, will quickly rise to the top of the priority list â€“ as well they should.
Make the definition of success your own.
Ultimately the definition of success will represent oneâ€™s own priorities, those of coworkers, colleagues, and â€œmanagementâ€, the stated goals of the organization, as well as any circumstantial elements that are present. With that, there needs to be a willingness to own the entire definition and be able to justify it. Being able to do so with confidence will allow a better case to be made for whatever resources may be necessary in achieving success.
Once there is a definition of success that is representative, clear, and with discrete tasks defined toward achieving that success, there needs to be a way to measure whether or not that success has been reached.
What do you think? Do you have any experiences to share with others? How can I help? Please leave a comment so that we can help each other!