5 Addictions of Information Security Professionals
Information security professionals develop habitual practices that can be detrimental: overly long policies, unrealistic mandates, gadget fascination, blind adherence to "best practices," and an exclusive focus on prevention over detection and response. Recognizing these addictions is the first step toward more effective security programs.
Like most other disciplines, information security has its share of practices that are performed out of habit and might be detrimental to the organization. Here are a few such “addictions” that I have come to witness into world of information security:
- Long security policies: Process and detail-oriented individuals that we are, we cannot help but create wordy documents that might satisfy some auditors, but are too long to be read by others. Keep security policies and procedures short.
- Strict security mandates: Security documentation often codifies the desirable state of the security program without accounting for practical limitations of the business and humans who there. The policies are often unrealistic or overly-strict, making it impractical for people to follow them. Make security documents realistic.
- Information security gadgets: Since infosec professionals often have engineering or technical backgrounds, we love technology. As the result, we are easily excited to hear about new security gizmos that promise to take care of a security issue du jour. We forget that people and process are other critical elements of a security program. Exercise restraint when deploying new security tools.
- Best practices: We love making references to “best practices” without considering the extent to which they are applicable to the occasion or have been shown to actually reduce risk. Along these lines, we attempt to implement high-level frameworks such as ISO 27001/27002 without customizing them for the situation. Be judicious when picking which security controls you adapt.
- Prevention of security incidents: We often think in terms of preventing security incidents, setting ourselves up for failure. A more practical approach might be to focus on making it more costly to bypass your defenses and investing effort into breach detection and incident response. Reexamine the success factors of your security program.
For more thoughts along these lines, take a look at my earlier posts: