Most of us have benefited from the mistakes of others. While this may sound like an odd statement, it makes a lot of sense when you think about it. For those of us who have been fortunate enough to have others share their missteps with us and are smart enough to internalize and apply those lessons to our lives, we learn not to repeat their mistakes.
For example, most of us know not to buy a car or a home without having it inspected first. Obviously, this inspection takes time and costs money. But we know that skipping this important step could take much more time and cost much more money down the line. Likely, we know this because we've heard nightmare stories from people who thought they would save a little time and money by skipping this step.
If you have been reading my pieces for some time, it will come as no surprise that I believe that we can learn an important security lesson from this. How so? A number of security processes, procedures, best practices, and initiatives require a significant investment in time and money. Yet skipping them is a big mistake for security teams.
While not an exhaustive list, here are 10 items that require an investment in time and money yet pay huge dividends for security teams.
1. Formalizing Policy
Policy isn't sexy or exciting, and it takes time to get right, but it is necessary. Having a formal policy codifies the rules of the game within an enterprise when it comes to security. Policy is an important basis for nearly everything that a security organization does. After all, the security team needs to have good answers when asked questions like, "Where does it say that is not allowed?" or, "Why can't I continue doing things the way I've always done them?"
2. Understanding Regulations
Regulations and compliance with those regulations is cumbersome. Nonetheless, there is little choice but to excel at it — the risk of fines and other complications is simply too high not to make understanding regulations a priority. This applies globally to all the applicable regulations in all the locales that a business operates in. Not the easiest task to stay on top of, but an important one.
3. Staying the Course
While it is difficult to stay on track and implement strategic initiatives despite tactical distractions that might arise, it is essential for a successful security program. Our strategic initiatives, if designed properly, ensure that we mitigate risk that has been prioritized and stay on track to meet our objectives and improve the state of security. As tempting as tactical distractions might be, they most often interfere with our strategic risk mitigation efforts — thus, in essence, lowering the security posture of the enterprise. Staying the course requires energy and determination, but it is important.
4. Nurturing Relationships
As security leaders, our relationships with key stakeholders in the business, executives, board members, and others are extremely important. Building and nurturing these relationships takes time — time that we might otherwise want to spend on other tasks. Nonetheless, these are important relationships that merit the time investment. These are the partners who will help us improve the state of security within our organizations.
5. Architecting for the Future
It is not easy to account for different possibilities that may arise in the future. Nonetheless, it is worth the time and energy. Consider a database schema — if we architect it only for the data we have available today, we may find ourselves in a conundrum in the future when we want to incorporate additional data into our workflow and processes. Then we would need to re-engineer or scrap solutions that were not architected for the future, which takes more time in the long run than getting it right in the first place does.
6. Resisting the Quick Fix
When dealing with a challenge, it can be all too enticing to put a quick fix in place. For example, it might be tempting to write a quick script to move data around, rather than leveraging a formal extract, transform, and load (ETL) process. However, the odds that a repeatable solution can be reused are high, whereas Band-Aid solutions generally need to be rewritten everywhere they are applied. Maintaining band-aid solutions often becomes a major headache for organizations as well.
7. Implementing Useful Training
Properly training staff requires a training budget and time away from other important tasks. It is well worth the investment for several reasons. Security professionals who are continually expanding and enhancing their knowledge and skill sets are less likely to leave for greener pastures. Well-trained staff also perform better. This directly influences the effectiveness of the security organization, which in turn directly influences the security posture of the enterprise.
8. Creating Proper Documentation
I don't think I've ever met a security professional who loves documentation. It is certainly time consuming, and it can be tedious. Nonetheless, when it comes time to understand how to do something, documentation is the natural go-to. Further, having well-documented processes and procedures also provides a means to show stakeholders within the business exactly how certain things work under the hood.
9. Capturing Lessons Learned
Documenting lessons learned in a way that they can be leveraged in the future takes effort. It is an effort that pays dividends, however, as only by learning from the past can security organizations really improve over time. As an example, consider a high-profile security incident that exposed some gaps and opportunities for improvement in the security program. Rather than covering these up, it pays huge dividends to painstakingly go through and capture each relevant point. Taking some time to log lessons in detail as they occur pays off later.
10. Applying Lessons Learned
It may be difficult to comb through lessons learned and figure out how to apply them to improving the state of security. This is worth the time and money, however, as it is a way to directly mitigate risk. Mistakes that were made and lessons that were learned from them provide a view into where risk was improperly managed in the past. This is one of the biggest targets for improvement that has one of the greatest impacts on the overall security posture.
Invest Your Time Wisely
Although it is tempting to skip important things to save time or money, it isn't wise. The best security organizations understand the need to invest in important processes, procedures, best practices, and initiatives. History has shown that such investment goes a long way toward greatly improving the overall security posture of an enterprise.