This article provides tremendous advice concerning a vital component of IT security often overlooked and ignored. To simply state the obvious – communication is key. Yet, in the world of IT security, we very quickly get lost in a sea of technical jargon and alphabet soup acronyms. Technical speakers often get their audiences lost in the weeds of the “how’s” and “why’s” a security control is needed or a risk is eminent, yet those same speakers never realize anyone is lost because they alone hold the map and never look back.
We as IT professionals need to understand our audiences and their capacity for understanding and reason. Technical controls and eminent risks should be translated into real world examples and practical analogies. We need to be succinct, clear, and timely in our comments. We need to choose our conversational battles and not find ourselves perpetually holding an umbrella while ranting as the sky falls around us.
And above and beyond all of these things, we need to shut up from time to time and truly listen. We need to hear what management teams and end users have to say. We need to ask for and receive with a decent modicum of humility constructive criticism about what is working in the security practice and what might be a significant hinderance to business success. There is always more than one way to tackle a problem, and though many of us have our favorite ways of doing things, those favorite approaches do not hold exclusivity when it comes to what is right for any given business environment.
Interesting statistics…change is inevitable. Skills must grow and change and adapt to meet the demands of IT growth and consumer demand in these spaces.
I agree completely with these five steps. I would particularly focus on end user awareness training and vulnerability life cycle management.
As a former Retail IT security officer, this article brought back some fond memories. It is also filled with some very sound advice. Enjoy!
This article does a wonderful job shining a light on the void that exists between true security and an understanding of what it takes to be more secure in the healthcare industry. I agree that risk management, a construct fairly familiar to healthcare providers, is a great starting point.
I am a user/participate/member of several of the organizations on this list and I can honestly say there is tremendous value in this content. Continuing education is absolutely vital to the success of IT Security professionals the programs they oversee. Please review and take advantage of these resources.
Enjoy this interesting conversation about the direction of IT security testing and better ways to tackle this challenge in a “test and defend” world.