The Four IT Security Principles: A Practical Guide to Improving Information Security

The Four IT Security Principles: A Practical Guide to Improving Information Security

Security Commandments.

Below are four principles to help you become a more effective IT security leader. While these principles won’t solve all your problems, if you practice them regularly, you can’t help but reduce risks and knock annoying security problems off your to-do lists.

  1. Start a difficult information security task
  2. Every IT security leader has a laundry list of items that need to be fixed in an organization to improve information security and lower risk. Some of these issues may instill a certain fear or anxiety in you that prevents you from taking that first step. You probably have a few scary items written on post it notes around your desk right now, so why are you waiting? It could be because you don’t like who you have to deal with to accomplish the task, or maybe it isn’t in your technology comfort zone, or….

    Regardless of the reasons, the best security leaders face their fears head-on and pick up that phone, schedule that meeting or send that email NOW to initiate change rather than wait. What are you waiting for?

    Start one nagging issues right now. I’ll wait…

  3. Know your stuff
  4. In my personal opinion, there are way too many IT security professionals who don’t truly understand enough about technology. Many of the current leaders rose through a support role focused in one particular area, but never took the time or have the ability to learn another discipline.

    Understanding all aspects of IT including networks, development languages, databases/queries, server configurations, Unix, Windows, etc. dramatically improves a security leader’s effectiveness. If nothing else, it allows you to speak to technologists in their terms. It also lets them know that they cannot make something up just to avoid implementing a security fix.

  5. If you don’t get funding for big projects, fix security operations
  6. All too often, IT security leaders use “lack of funding” as an excuse for why they haven’t done more to lower risks. Funding will always be an issue, but even if you do not receive funding to implement an identity and access management solution, DLP solution or any other project, there are considerable ways to improve information security just within day-to-day operations.

    This is where having broad technical skills can help you truly become an effective IT security leader because it allows you to design and drive architecture improvements without massive project teams. Aside from technology, process improvements, process redesign, and lean operations can always be a focus. These areas should not require an official project.

  7. Don’t accept excuses from matrix-managed teams

From performing risk assessments at a variety of organizations, I see a large number of organizations living with open vulnerabilities. They don’t follow best practices simply, because nobody stands up to the individual technology towers and effectively influences them to change.

With technology, anything is possible, so it is up to you to manage external teams effectively. I have found that change is easier when you take an educational approach to influence technologists. An IT security leader must help technologists understand why certain settings pose environment risks. It often helps to frame risks around technology and security changes over the years. This approach can deflect resistance based on historical reasons.

By applying these four principles to your information security management practices, you can lower risk and become a more effective IT leader with minimal change and without increased budgets. Give it a shot!

BP_access-governanceGet Your Free Top 10 Access Governance Best Practices Workbook

Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).