Today within the information security industry, we have more than ever before security frameworks, blueprints, methodologies, checklists, security management dashboard software, best practices, and ongoing academic research supported by substantial grants or budgets for engaging security implementation. But information security accidents and sensitive data spills continue at an alarming rate.
With a 30-year career in information security compliance, I see a worst-case scenario for any organization is to get behind the power curve in implementing mandates, documenting continuous security monitoring, or to have planning and action milestones spill over from year to year as a result of information security professionals who have lost touch with basic information security situational awareness.
Nothing is new here as the security industry as spent most of the last 30 years taking old information and binding it under catchy new titles or phrases only to mirror security concepts from work published a month, year, or decades earlier. Although numerous published articles, journals, and books are filled with an abundance of information security guidance, few security domains are technically complex in areas mathematical number crunching engineering inventiveness, but many domains are not complex at all.
Many published security books fail to address critical success factors that are directly related to the "security professionals" survivability in the field. The conduct of a security professional is the same as the widely adopted security governance concept. Julia H. Allen observed in "Information Security as an Institutional Priority" that a root cause in the collapsing of a security program is directly related to a security professionals "behavior, capabilities, and actions."
Take a few minuets and look at these two key information security historical documents: "Guidelines for Automatic Data Processing Physical Security and Risk Management," better known as Federal Information Processing Standard 31 (FIPS 31) published in 1974, and "Building a Secure Computer System," published in 1988 by Morrie Gasser. Not only did these publications provide much of the foundation for today's information security material, but these documents outline some long-standing critical success factors required for the security professionals survivability and knowledge in the field.
Gasser wrote, "The problem is people, not computers" where information security professionals need to recognize that they are a factor inside the equation that equals poor or substandard compliance. I often see the mindset of an information security professional who clearly has an inept security program feel that his program will improve over time without ground-pounding active engagement. This thinking raises the chances of a significant information security incident boomeranging around the world and back.
When selecting or evaluating a person for an information security role, what is the exact fit to protect business data? I have witnessed security professionals with advanced security certifications and higher education struggle as a result of poor organizational behavior, project management, and writing skills
What I recommend is not located in any IT interview or security handbook, but over the years I have identified key critical success factors in performing the duties of a good information security professional, a good baseline for elevating performance or focusing in on a hiring decision.
A security professional must be highly motivated, reliable, goal setting competent individual who remains one step ahead of anyone handling, moving, or safeguarding data within the organization. This has been a requirement as far back as FIPS 31 as it states that selection of "people are the most important part of the Automated Data Processing Facility and no facility can function without mature, trustworthy people with a high level of motivation."
Security professional's survivability in any organization depends on how well they fit in. Why? If you're an organization of thousands of employees with only one security professional, the need for open employee and security professional collaboration is essential. Employees should be considered your deputized eyes and ears under the security professional's sheriff's badge in reporting unusual events.
The security professionals self-esteem and personality must exhibit that they are, in fact, confident in having full ownership of their security program, are fully accountable and responsible.
Security professionals must be visible and engaged to promote a sense of management by walking around. A security professional who looks for safe harbor behind office or server room doors are not in tune with the organization's plan of the day (movement of technology assets, environmental issues, visitors, terminations, etc) and drastically lowers the awareness and raises the risk level.
Security professionals must fight the fear of the "unknowns" by researching and following up on administrative and technical issues that may be vague to them. Time should be set aside with a specific short range goal to learn about anything and everything in the organization affiliated with data in relation to any manual or automated information system.
The security professional must understand that the entire security domain was not developed to be her responsibility alone. System owners and data custodians need to be provided clear guidance on their rolls, responsibilities, and are given the stare down that they are directed to provide updated reports on auditing, monitoring, and delegated to conduct regular unannounced spot checks in their area of control. Security professionals should explain this concept to management and require clear and specific designation letters signed by executive management outlining system owners and custodian's responsibilities.
It is often said that security documents are living and breathing subject to constant change and living and breathing is not a substitute for a security program to remain in a constant state of flux for months and years. If a security professionals mindset is to only to pull these documents out during compliance inspections, a three-year review, or an incident, the bad news is that these document are not living any longer.
Security professionals who enter into or are hired into a minimally functioning security program should provide a specific target date to move the program from minimal functioning high-risk program to a program of compliance, continuous monitoring, and acceptable risk.
Security professionals must become information security researchers with a proactive role in enhancing government or commercial frameworks to best suit their organization. This can be done by seeking out factual and scientific security Information from academia, professional organizations, and international standards.
Project management, organizational skills, and customer service are just as important as locking down a firewall, writing a policy, or conducting employee education. Writing skills are extremely important as security programs require significant administrative reporting requirements. High-level executive status and budget reports are only a few requested by management for compliance reporting. If a security professional cannot communicate effectively in writing when requested, they may find themselves in a tight situation of effectively providing security justification in areas of total cost of ownership (TCO) and return on investment (ROI).
If administrative and technical writing deliverables is part of the business, a good practice is to examine security professionals past academic or professional writing ability and use this as a factor in hiring decisions.
Jeffrey Smith holds an M.S. in Computer Technology in Education from Nova Southeastern University in Fort Lauderdale, FL, where he is currently completing his Ph.D. in Information Systems. Since 2004, he has taught Computer Science at Park University and at ECPI College of Technology in Charleston, SC. He worked for 23 years as an Information Technology Security Naval Officer in cryptographic and fleet radio spectrum communications. He currently holds two journeyman Department of Labor licenses in Data Processing and Wireless RF communications. Currently he is a Certified Government Information Security Officer for five Departments of Veterans Affairs Medical Centers in South Carolina.