Highlights from Day 1 of RSA:
I attended the professional development track, and pulled most of these quotes from there. Follow me on twitter to see what strikes my fancy in real-time.
- Remember that being a security leader is first and foremost about leading. Too often we get bogged down in management. Managers deal with complexity, scheduling and resource allocation. Leaders deal with setting a direction and figuring out how to get there. The quote which was used in this session, which I love, was “managers follow a map, leaders follow a compass.”
- The biggest key to the success of any security program is achieving goal congruence with the greater organization. Every security objective should directly support the overall objectives of the company. We in security must figure out how our projects contribute to the organization’s success.
- One of the comments that stuck out to me was drawing the difference between CIO’s and CISO’s. Per this presenter, CIO’s want to be remembered often. CISO’s want to be remembered not at all. While I understand and appreciate the concept (much like a baseball umpire never wants to be talked about after the game), I believe it’s an outdated model for a CISO. Today’s security departments need to find ways to add value to the organization, stepping out from behind the curtain. Instead of focusing solely on avoiding breaches, security can add value to organizations in the sales process, by providing product innovations, and assisting in the achievement of company objectives. I believe that the most successful CISO’s in coming years will be front-and-center in senior leadership strategy sessions.
- Understanding security is not enough. To create an effective security program, first we must understand the business we’re supporting. In the vein of the Prayer of Saint Francis, “not so much seek… to be understood, as to understand.” We must first look to understand how the business can be successful before we can be successful in security.
- “The destination should achieve compliance, not be compliance.” This is what I’ve been saying since I started this blog, and believe is more true now than ever. It seems like we all agree… but we must go from agreeing about it to practicing it. That’s the challenge, and it requires real proactive work, getting ahead of our requirements, rather than continually trying to catch up to the latest audit report, or regulatory update.
- Let’s ban the phrase “best practice.” It’s much like the one-size-fits-all shirt. It doesn’t really fit any of us. The thin folks are swimming in it and we bigger folks look like a sausage. No two organizations will need exactly the same security program. A security program must be much more like a custom-tailed shirt, hiding our trouble-spots, and accentuating our strengths.
Cross-posted from Enterprise InfoSec Blog from Robb Reck