Posted by Heidi Shey on December 7, 2012
Keeping up with the threat and IT landscape, looking ahead to future technology and disruptive technologies, and keeping up with the regulatory landscape to identify what it means to your organization is no small task. It’s also not a technology issue, but one that involves your most valuable asset: people. S&R pros, call it maintaining your security edge: keeping skills fresh, encouraging new ideas to flow, and preventing the security group from getting stale and set in their ways and habits. Fail to invest in your people, and an exodus of talent will the least of your concerns as a new type of internal threat is born. A security team and an organization that maintains their security edge will be better equipped to protect the organization and its assets through better decision making at all levels.
I’m kicking off research on this topic in the coming weeks, and would love to hear what you think it means to maintain your security edge. My initial ideas approach the topic from three angles:
- Individual security contributors. These are the folks that need to keep their skills fresh and network with peers. Consider opening up opportunities for them to take continuing education courses, achieve certifications, or attend conferences. Encourage participation in online communities or social networks to connect with peers.
- The security group as a whole. This is where group think may occur, and lead to less than optimal decisions, especially if there hasn’t been much focus given to the development of individual security contributors. Bringing in new blood and a fresh perspective with an external advisor can be beneficial. Or, perhaps, engage in information sharing with other organizations where appropriate.
- The company as a whole. Employees are the front line of defense. Not all forms of security awareness training are created equal, and it’s an exercise to determine where you’ll get the most bang for your buck, effort, and time. Also, understand how employees work, and the (non-company supported or provided) tools and services they use, in order to better assess risk and help to securely enable them to get their jobs done.
How do you maintain your (personal) security edge, and your organization’s security edge? Do you see it primarily as a people issue today, or are there elements of a technology, policy, vendor, or service provider relationship that you see to be vital as well? I’d love to hear your thoughts.