Sharing knowledge and good practices is one of the core values of BiZZdesign. We regularly organize and contribute to online and offline seminars, conferences and round tables. After presentations on “Security is not an IT problem”, which discussed the lacking relations between security policies and measures in many organizations, we continued the debate in the form of a World Café. My last blog post was about building awareness around Information Security. In this blog post, I want to 7 seven worst practices we learned from the participants of our seminar. Please share your best and worst practices in the comments section below.
1. Support evasiveness and just make policies
It is very easy to make extensive lists of policies, principles and measures. However, having many of these in place has never been an indicator for success, and in fact drafting them and managing them is very time consuming! It is better to have a few useful principles and measures, rather than many not-so-useful measures. What absolutely doesn’t work in building an secure organization is to support the ways to work around the policies and measures set in the organization. In many organizations, the urge to make life easier is very high…
2. Always hit the brake and slow down the organization
Approaching security only from a technological perspective is not very clever. Letting the business get away with not doing a proper risk analysis is a guarantee for failure! Another worst practice in this category is to declare security as the goal, and not as an important set of means!
3. Manage security on the basis of hypes and incidents
The yearly hype cycle on emerging technology from Gartner (and all others of this same kind) gives a nice overview of different trends in the market. For technology oriented people, it is tempting (and maybe natural) to have the urge to work with or on these new technologies. Of course, you need to be aware of the security aspects (both threats and opportunities) coming with these new technologies, but managing risks based on these hypes is a bad plan. The same goes for running from internal accident to external breach and back. You need a plan and some structure in your approach to become and stay a trustworthy partner, delivering value to the organization.
4. Fire fighting
Moving from one incident, to the next. Hitting the break on project A and quickly running to project B to fix a security bug there. When you work in a fantasy, and you're the security hero who fixes all problems as they occur, you are likely to end up burned out. Also, the business will burn anyway, since nobody, not even you, can cope with all fires popping up, when not investing in awareness and clear measures.
Producing a great plan, and never acting on it never helped nobody. Get it off the slidedeck, move on from the spreadsheets and make things come alive for real! When exceptions occur, you can either accept them or take direct (temporary) measures. Typically this is just a first reaction that needs a more sustainable solution in the long term. In some organizations, the temporary fixes tend to stay longer than expected, since the security force is already fighting new fires. This is hindering the long term security and might even bring new threats to the organization.
6. Being too ambitious
You are in an organization that has a certain maturity level. Not understanding this, and not dealing with the speed of change and culture that is the standard in your organization will frustrate others and yourself. Speeding up when others want you to slow down, and bringing more content, when people ask for extra explanation regarding earlier shared information is a worst practice that some have seen in practice.
7. Never mind the culture
Every organization is different! Top down vs bottom up, highly educated staff or low educated staff, and text oriented decision makers or visually oriented decision makers. “Culture eats strategy for breakfast!” is a famous quote that applies to Information Security strategies as well. To really understand people, the culture and the success factors for implementation, learning from (recent) history is important. Without noticing and playing the culture, you will organize pushback and create insecurity with your own behavior.
Information Security good practices are to be found in many places. Organizing a workshop to generate ideas on worst practices can be great fun and really helps people to reverse their thinking and be more creative. We hope you benefit from the insights we bring you, gathered from experience in the field and in our workshops on information security.