Taming the Wolf in You

Technology is only skin deep. When it comes to a solid security approach, it's what's on the inside that counts.

. What's this?

By

January 09, 2003CSO — I was a teenage security werewolf.

Well, loosely speaking, anyway. I wasn't really a teenager. But when it came to security, I was young and naive and all about the technology.

And then one day I had an epiphany: I realized that sometimes what I considered to be an unacceptable security practice could still be an acceptable business risk. It isn't important, really, how I got there. I finally realized I had been missing the point, attempting to throw the latest and greatest technology solutions at the security issues I had identified. And I began to see that it was impossible to assess a company's security program without understanding its culture and how the business management processes evolved within it.

Now, maybe that's not news to most people. But to me, it was a revelation that rocked my world. So I set off to transform myself from a technology werewolf to a more sophisticated security managera true career enhancement decision.

Reality set in on day one of my new job when I sat down with my security staff and outlined how we were going to review policies, practices and guidelines surrounding our security capabilities. We would take the organization's enterprise security architecture to new heights. If the company's security architecture was at level six, we'd make it a seven. Or even an eight. I discovered pretty quickly that, when it came to security planning, my new company was really back at square one.

I should have guessed it right away. I remember worrying that something was missing during corporate's 10-hour new-hire orientation program. I didn't hear anything on computer security, let alone information technology in general. IT was simply not on the radar.

Digging deeper, I learned from the IT guys that the servers were "locked down," which gave the company the false notion that it was operating in a secure environment. The proverbial honeymoon was over before it even started.

Still, I was determined, so I set out to transform the psyche of my new company, convincing it that IT security has to start with understanding the business needs and then developing a strategy to address those needs.

Now, what we're all so fond of calling best practices can often be generic and unspecified recommendations from vendors or outside authorities that don't really understand the details of individual business needs. True best practiceswhether security-specific or notcome from within. You need to understand how the business management processes evolved before you can prescribe any suggested practices.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER