July 16, 2012
Focusing on People vs Technology in INFOSEC
Written by
David Kennedy
career
infosec
Leadership
security
technology
trustedsec
Consulting for other organizations gives an interesting perspective on how well security is growing in the industry. We get to see a wide variety of companies out there and how they are tackling threats and risk towards their organizations. What we continue to see is a large emphasis on products and solutions versus the investment in people. The most recent organization was extremely large in nature and undergoing a large deployment of the latest security product. They had two people dedicated to security who were already overworked and had no capabilities of handling this new technology. This seems to be the normal trend for a number of organizations. The emphasis on implementing a preventative control versus the emphasis on additional training, additional headcount, or help from the outside.
In my experiences on the corporate side, budget has always been high on capital expenditures and low on the direct expenses front. It's much more difficult for CSO's and CISO's to get the appropriate funding for personal and alarmingly easy to get funding for the APT Firewall 2GEN DLP WAF Preventer 9000. The issue with this model as with anything is that there are no people to support the technology and the most important element, there is no program to support the technology. This is an alarming trend that seems to be systemic across the majority of the security industry and not something that is going to stop anytime soon.
A recent FoxNews article showed a company in Denver paying it's employees $7,500 bucks a year to go on vacation. There were three major catches, the employee had to turn off all technology, the employee had to go on an actual trip, and not allowed to do any work on their trip. Reference: FoxNews Article.
This is the type of environment we need to set forth in our people. An investment in people which actually has a notable return -- performance! Security programs cannot flourish or function without an adequate investment in people. Buying a scanner is just that, a scanner. Without driving it into a vulnerability management program with people that can track down issues and communicate to the different business units, the program dies and the investment written off.
Things to do to focus on people
1. Focus on culture and having a fun environment for your people to work.
2. Sending the team to security conferences and additional training events.
3. Have a clear and concise roadmap for your team and an understanding of career advancement.
4. Focus on building security programs first before ever investing in technology -- use technology for automation.
5. Work on automating and streamlining processes versus adding additional work on broken ones.
6. Staff appropriately and fight for additional headcount where it is needed. Be careful on over hiring.
7. Take time out of your day to focus on people and seeing how they are doing and if there is anything you can do.
8. Communication. Communication. Communication... Did we say Communication?
Take these eight steps into consideration when building a security program. Understanding that people are what makes a solid security program, not the technology. Your job should be a place you want to learn, grow, and have fun.