As a CISO, I am often asked, “What is the key component to the success of an Information Security organization?” Too often, we dwell on the failures or gaps, and it is important to recognize where these faults lie in order to enhance the program’s capabilities.
But when things are “working,” it is easy to become complacent. When a properly planned and managed component protects the firm, in many cases, accolades are not offered.
In the current information security landscape, there are many moving parts that need to work seamlessly to ensure the protection of company assets, maintain compliance and continually evolve to address new challenges.
Vulnerability and threat management, security operations, assurance, data loss prevention, intrusion detection and prevention as well as metrics and reporting, comprise some, but not all, aspects of a successful information security organization.
Much advancement has been and continues to be made in the “intelligence” of these products and today there are multiple vendors and solutions to choose from to achieve the desired results.
For example, detection and prevention tools have advanced from static, signature-based to advanced anomaly detection. Collecting, correlating and analyzing the data and events generated from these disparate systems, whether network or agent-based, has improved greatly. However, even with advanced analytics and event correlation tools, there is still the human factor that I believe is at the core of any successful program.
In my opinion, people are the most important part of any organization, especially one as dynamic as information security. All of the most advanced tools, properly planned and implemented are still only “tools” without knowledgeable people to manage, maintain and analyze their output(s).
Knowledge, aptitude and work ethic are desired qualities in individuals, but the ability to communicate and work as a team is what achieves success. No matter what sport you may follow, we have all seen teams with great talent fail time and time again due to internal divisiveness and a lack of cohesion.
Many businesses emphasize employee engagement and have retention policies and incentives to keep their top talent. Talented individuals tend to be self-motivated and committed. So while it helps to have these programs, they are not the only factors in building and maintaining a great team.
I have found that creating a culture that emphasizes common goals and allows individuals to participate actively is one part; the other is to demonstrate appreciation and loyalty. This last part is the hardest challenge. People want their opinions to be listened to and respected and they appreciate managers who “have their back.” This is my philosophy and I encourage others to consider this approach.
Using a sports team analogy, it doesn’t always matter who the highest paid or most talented player is if the rest of the team won’t block, tackle or make the extra effort on their behalf. Great teams need to understand the game plan and need to communicate effectively. No championship in any team sport has ever been won without good coaching and team coordination.