5 Addictions of Information Security Professionals

Like most other disciplines, information security has its share of practices that are performed out of habit and might be detrimental to the organization. Here are a few such “addictions” that I have come to witness into world of information security:

  • Long security policies: Process and detail-oriented individuals that we are, we cannot help but create wordy documents that might satisfy some auditors, but are too long to be read by others. Keep security policies and procedures short.
  • Strict security mandates: Security documentation often codifies the desirable state of the security program without accounting for practical limitations of the business and humans who there. The policies are often unrealistic or overly-strict, making it impractical for people to follow them. Make security documents realistic.
  • Information security gadgets: Since infosec professionals often have engineering or technical backgrounds, we love technology. As the result, we are easily excited to hear about new security gizmos that promise to take care of a security issue du jour. We forget that people and process are other critical elements of a security program. Exercise restraint when deploying new security tools.
  • Best practices: We love making references to “best practices” without considering the extent to which they are applicable to the occasion or have been shown to actually reduce risk. Along these lines, we attempt to implement high-level frameworks such as ISO 27001/27002 without customizing them for the situation. Be judicious when picking which security controls you adapt.
  • Prevention of security incidents: We often think in terms of preventing security incidents, setting ourselves up for failure. A more practical approach might be to focus on making it more costly to bypass your defenses and investing effort into breach detection and incident response. Reexamine the success factors of your security program.

For more thoughts along these lines, take a look at my earlier posts:

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more