I have found that the top challenges that I have faced are:
1) Gaining and maintaining Senior Management buy-in to security issues.
Management needs to be focused, define what their business objectives are,
have UNIFIED business objectives not individual ones, and know what their
corporate values are. They also need to understand why they are acting on
security. Security officers need to be privy to these concepts so that they
may build policy, process and procedures to support and enable them.
Management needs to modify and then accept them, and to adopt them. LEAD BY
EXAMPLE, and don't punk out because you meet resistance! You agreed to do
these things for a good reason. What has changed?
2) Profit versus responsibility arguments.
Businesses have a responsibility to the customers that they are servicing.
They should be very concerned about protecting information, relationships
and the systems that support them. Regulation and legislation is on its
way, however a responsible corporate citizen should be willing to invest in
security as a matter of courteously and survival. I have seen SMB's spend
literally millions to procure new network components and designs, and
watched the layers of security stripped out as a cost cutting measure. The
justification; it is too expensive/difficult/cumbersome to do the right
thing.
3) Disorganized Management.
Too often I have come across "In-Flight Management" where decision and
strategy makers are flying around from office to office, and have time to
read the latest article from some 'expert'. Suddenly, their strategy is
changed. Next flight, another article, another plan. I'm all for
continuous improvement, however, it is critical to have a long term goal and
a plan to get there. Constantly shifting focus and changing direction,
setting out one set of objectives at one office and then choosing a
different approach or message at the next stop is counter productive.
Better to use a phased approach, keeping everyone on the same page until you
and they are ready to move to the next level.
4) Getting IT staff to accept their role, and set an example.
IT is used to "heroics", and being praised for their willingness to be burnt
out. This needs to stop. IT staff should not be encouraged to work
overtime to get things done. IT staff should not be rewarded for putting
out fires. IT staff should be rewarded for AVOIDING fires, for planning
changes, and for reducing downtime. IT Managers should expect and encourage
root cause analysis, strategic planning, tactical planning and operational
excellence through the adoption and use of methodologies. IT staff should
stop resisting 'paperwork' because they see themselves as 'do-ers'. ('Do'
the 'paperwork'!)
4) Getting general staff to understand the importance of security.
End users and managers need to be aware of their security roles and
responsibilities. Often, they complain that they are just too busy to be
bothered with an annual security awareness review. Too often they are
supported by their managers and others, and are allowed to reschedule or
avoid these important sessions. Attendance of security awareness sessions
should be mandatory for all staff, and this should be strictly enforced.
(By the way, annual is NOT enough. More like quarterly, but baby-steps,
baby-steps.)
5) Getting policies through the sign-off stage.
A Security Manager can create all manner of policies, aligning them
strategically with the business mission, accommodating the business'
specific needs, and in compliance with regulations and standards, but if the
powers that be can't lift a pen to sign them into action in a timely manner,
they are reduced to fun and exciting exercises in fantasy. Not only should
they be read, considered thoughtfully, and signed, they should also be
carried to the masses by the C-level managers and given the importance that
they deserve.
6) Changing behavior and corporate culture to align with new policies.
It is very challenging to change the way that people behave. All of the
technology in the world won't stop a user that insists on doing the wrong
things for the right reasons. Reward your people for doing the right
things.
There, I feel better now. Thanks Brad! LOL
Mark
-----Original Message-----
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: Monday, October 17, 2005 8:34 PM
To: 'Security'
Subject: Top Information Security Management Challenges in the
Enterprise Today?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am interested in hearing about what many of you consider to be the
top information security management challenges that organizations
face today... and if possible, a short synopsis of the actions that
you've taken to address them within your own organizations.
