CHAPTER 12: JULY: JOURNEY’S END … AND CONCLUSION

Returning to the lessons learnt

When your pet project gets cancelled, how do you move forward? Therein lies the rub of labelling anything in the information security space as a ‘project’. As we have seen throughout this book, it needs to be baked into the DNA of the organisational infrastructure and so there is no ending, as it is constantly changing and adapting to the threat and vulnerability landscape within which we are operating.

Equally, as an ISM, you need to ‘know the business’. The IT community in its entirety is so often charged with ‘not understanding the business’, so linking this with being a professional (see section below), it is important that you take the time to learn as much as you can about your environment – as we saw and learnt in Chapter 1. This is most often referred to as ‘situational awareness’ and requires constant vigilance, in particular, to assimilate the nuances of both the culture and the language being used by those around you, so that you can seek to mirror it. The more you can successfully achieve this, the better will be your results when you are trying to either change behaviour or gain support for a change in activity – all of which is designed to provide greater security and protection for both the individuals to whom the change will apply and the individuals whose information may be tangentially involved, too.

The life of an information security manager

So what have we learnt about being an ISM?

You should never be idle or bored, that’s for sure! It is possible to try to apply some level of structure across your year, if you are not experiencing too much organisational flux or change. There are constantly recurring themes – laptop management, password management, access control, server management, etc. This is to be expected. Things reoccur which, if dealt with once, can change the game, but which, if you stick on a plaster, will keep on flaring up. Your role is very much one of providing solutions, often in difficult circumstances, so think creatively, too.

It’s an ‘always on’ existence, as your shields are up and you are always considering the dangers that may arise, in all walks of life. The more you allow this kind of thinking to overtake your brain, the more you can apply the solutions you come up with to your day-to-day role.

How long does it take for something to become an established discipline, understood and followed by all? What is the motivation for adoption? Will mandating make this adoption more successful? Your user base will, in some cases, have a ‘what’s in it for me?’ mentality and you must be sure to address it. We have seen that there will be challenges around compliance: personalities, prioritisation, internal versus external politics, convergence, centralisation and professionalism. Ultimately, you will need collaboration to gain trust – across teams and across the whole organisation. You need to be a counsellor, guide and adviser, busy all the time working out ways to inspire and enthuse those around you!

In the preface, I described the reality; that so many people find themselves in the role of ISM having had it presented to them as a ‘gift’. So, often, you are left feeling like you have received a poisoned chalice. It is a constant uphill battle trying to persuade hearts and minds to do different things. Imagine, if you will, that you are in the care of the dental hygienist. Over the years, the dental practice has found that they can reduce time spent in the dentist’s chair by increasing the time spent in the dental hygienist’s chair, instead. It’s not clear that this is any more pleasant for anyone, but the idea is that they are moving the interaction to one of a more preventative approach, rather than a reactive one. So the dental hygienist will tell you, on each and every occasion that you visit, that you need to floss more, you need to use the interdental brushes and you need to work your main brush into the gaps between your teeth to reduce plaque and ultimately reduce tooth decay and gum disease – the latter being the biggest risk to the former. Invariably, you can end up feeling both patronised and chastised by this, in equal measure, depending on your behaviour. It comes down to the choices you have made in the intervening time.

Delivering robust information security into and across your organisation can be considered in alignment with this thinking. What you are trying to do is implement controls that will be prove to be preventative and will reduce the need for fire-fighting. They will protect the information assets of all concerned (the teeth) if suitably constructed and enforced.

As the ISM, there will be a time when you will need to take on battles with the organisation itself, effectively holding up the mirror of sense in the face of seemingly nonsensical and conflicting requirements. If you spot inconsistencies with regard to the planned roll-out of systems, find a way to communicate this. This is not a role for a wallflower.

Things I haven’t spent a lot of time on

These include other frameworks (e.g. COBIT), regulatory requirements (e.g. PCI DSS), standards (e.g. ISO27001) and activities, such as undertaking back-up, risk assessments and business continuity planning. Some of these activities could be done in February, as it seems to be a quiet month! There are many great resources to address all of these issues directly. There will no doubt be other things, too, that you might have thought I should have spent some time on. What I hope is that this goes to illustrate quite how much there is to be done in the role of ISM. For whatever I have missed focusing on, consider it all needs to be done!

In many ways, we have only scratched the surface. There’s a long career available to you if you take up the challenge of being determined to be chief protector of all things information in your organisation! Or, at least caring enough to try and grab as much attention as you can from as wide an audience as possible across your organisation.

Closing thoughts

What this book was designed to do was take the reader on a journey through a year in the life of an ISM. This has been delivered in a combination of real time and the past tense, and I hope the reader will forgive that as it is only from reflecting on the past that we can learn lessons for the present and adapt the learning for the future.

There may be no particular ‘eureka’ moments, but it is hoped that putting together these thoughts and experiences in one place for reference will provide a level of sanity checking that will prove helpful in ensuring you get the best out of your day-to-day interactions in the role of ISM. You are an important breed of company asset.

Some thoughts to help consolidate what is hoped to have been key learning points:

  • Don’t constrain yourself to technological concerns. Think more broadly.
  • Have a mission and do all that you can to stick to it. For example, ‘Information is at the heart of all that we do, and we will all endeavour to protect it accordingly.’

I hope that you have seen enough to be sure that it’s a full-time job and to be confident in explaining to your management why it should be kept as such and resourced appropriately.

And finally, be an active professional

There is a lot of work going on in the industry to professionalise IA in particular. Certifications are already available for information security professionals. This all holds tremendous value and you should either be involved in development from the ground up, or ensure that you are maintaining your own continuous professional development. For example, as a result of reading this book, it may be that you need to focus on information and RM learning.

Read old internal audit reports – and obviously new ones, too!

Be a member of the relevant bodies, for example:

Read the monthly journals from these various professional bodies and membership groups. Also, follow up on references and resources from articles in the journals and reach out to their authors. Most authors welcome feedback and communication, and you can build a wider network of like-minded people with whom to touch base, who will be able to assist you when you need help.

The bottom line has to be – read voraciously! There is a lot to keep up to date with, so you need to do your best to stay on top of the constant march of progress in the information industry. Rest assured, there is every chance we will swing back around through the Cloud and virtualisation journey to a more mainframe-like existence, in the coming years. This will be a bumpy journey, no doubt, alongside which will be the need to manage a growing level of externally hosted information assets through a vast array of technology. There will be a growing integration of devices and services – smartphones synchronised with home PCs and TVs. The role of the ISM will not get any easier, or any less important, as these advances will all make it harder for organisations to know where their information has gone, even if the user is still working for them. And, of course, the situation produces a very large attack surface.

Keep your security radar up and your knowledge level as high as you possibly can – and never lose your sense of humour!

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.22.74.66