Can’t see the forest for the trees? Security can be a very frustrating field of employment – much like the pursuit of good science, working in security can mean you are second-guessed, armchair quarterbacked, and, at times, just not listened to at all. At the same time, it can be very rewarding when the good security guidance that you have provided has resulted in your clients’ data being protected during a security maelstrom. Finding a way to get security buy-in and, even better, 100% adoption of good security practices should be constant goals for anyone in this field.
I used to work for a company that had requirements for me to travel to many client and company sites located around the world. It was a great experience and I learned some valuable security and life lessons. Working in different parts of the world also forced me to learn to communicate with others whose first language was not my own (English, obviously!) and this presented special challenges when explaining and implementing security. Sometimes it was not enough to fully describe what I was trying to achieve with regards to getting an office or a customer solution more secure – sometimes I had to try to think like my audience. For example, explaining “piggy backing” “tailgating” can be as difficult in Hungary as it can be in Chile.
The lessons I learned about communicating security concepts and practices were also applicable in North America since I have witnessed blank stares from some Senior Management or even Information Security staff when I state that they need to consider building a better, more understandable Information Security Management System. In my experience, if people are not interested in reading your ISMS content, then they will be just as disinterested in applying its good security guidance. So, some advice from me – take it or leave it:
1) Do not build one monumental document and name it “The Information Security Policy”. Your ISMS needs to be reviewed at least once per year and you need staff to review it at least once per year. Who will actually read an enormous single document?
2) Build high level Policy documents, then Standards based on the Policies, then Processes, Procedures and Guidelines based on the Standards. The lower you go in this structure, the more applied the content and language is in the documents. This way, you easily review (or read) the Policy documents annually and then other pieces can be reviewed, read or updated as needed.
3) Build a communications plan for your ISMS. Ensure staff are kept aware of security by reinforcing the information to them. Use emails, put up posters, have contests, do mandatory annual security awareness training (keep this simple and applicable to your staff and your workplace!), and communicate new threats and new security lessons learned for your organization.
4) Avoid creating an atmosphere of fear in your security program – always saying that “the sky is falling” will create security fatigue and minimize the effectiveness of your security program. The other side of this is to ensure your security program is based on a calm approach – I once had a manager who was always looking to react strongly to even the slightest breeze that might be blowing in the security weather forecast and I spent a lot of time just talking the situation down to a manageable level. Without some aspect of calm, you cannot see the real situation clearly enough.
5) Less is more – I once used this phrase in a meeting with a former manager of mine to describe what we should be doing to make our global information security program more manageable for our security team members and easier to implement. He liked it so much, he adopted it as his own and used it as our unofficial motto (and, no, no credit given to me!). Keep your security program lean and mean and do not overcomplicate it otherwise your organization just will not be able or willing to apply it.
On one of my trips abroad in a past job, I was staying in a hotel in Brussels and it was located near the European Parliament building. I went to use the hotel’s business centre one morning to print off my airline tickets for my flights onward on my journeys and I had to wait for another guest to finish. As the other guest got up from the computer, they dropped some of their printouts into a garbage can next to computer. When I sat down at the computer, I saw the documents staring up at me from the garbage can; they were official government budget documents with the nation-state’s logo and name proudly displayed on the cover page and this particular nation-state was in a very public and very dangerous conflict with its nearest neighbour at the time. The papers included defence spending information. I put the papers in a shredder bin nearby – still not perfect but the other guest was long gone so there was not much else that I could do. The lesson: whatever your security program ends up looking like, you need to be ready for the eventuality that someone will tell you that it is just too much trouble for them to read or follow your good guidance. Do you best anyhow and you can at least rest easy knowing that you did!
Keep calm and keep calm!