The list goes from 5 to 1,
5. Shift from a threat focused approach to a risk management focus: FUD spreading is dead. As much fun as it is to scare your peers with stories of AV bypassing rootkits, spawned by cave-dwelling jihadist bent on total destruction through the systematic infection of mobile phones, toasters, and digital picture frames, the reality is FUD isn’t working to free the budget dollars like it used to. Learn to quantify risk, understand the implications to the business and ensure that accepted risk can be mitigated and contained once it becomes a reality.
4. Understand the business: Security professionals tend to look externally at threats as opposed to internally at assets and their function. Assets are more than the sum of their vulnerabilities and the threats against them, they exist to provide a function to the business. This function is variable, as is the importance of the assets themselves. The machine used by Bob in HR - the one he spends his lunch hour surfing between Eva Longoria fansites, ESPN, and this blog - has far less impact on the business than the web application front-end for the customer portal and the systems that support it. Understand the business, critical functions that sustain and enable the business, and how to support the business unit owners themselves - which means you may have to actually talk to someone who isn’t wearing a”hackers do it %6e%61%6b%65%64″ t-shirt, can’t tell the time in binary format, and has no idea who Robert Morris is.
3. For the executives, the board and the bottom line, the A in CIA is more important than the C and I: Yes, I know information centricity, and data security, and an orgy of disclosure with billions of supposed dollars of loss, has led us to believe that confidentiality and integrity of data is the most important thing to the business, but it is availability. Did you know that TJ Maxx (TJX) and Choicepoint (CPS) stock are both at their 5-year high of $33.36/share and $48.14/share respectively and climbing?
2. How much the company funds security efforts is directly proportional to your ability/inability to provide adequate security metrics and proven ROI: You don’t know what metrics to provide and no way to provide them, you have no idea if your security spend has been effective, or if your security program is efficient. No wonder the CIO doesn’t take you seriously. Security has no ROI you say, no way to validate that what you spend is justified - and yet, you stand slack-jawed and shocked when the CFO says no to a budget request for $.5 - 1million to implement the latest NAC/DLP/White-listing/lose weight now ask me how, hyped technology. The reality is that the business is motivated to increase profitability, it’s part of that whole free-market, capitalist society thing. With an impending recession, and the inevitable budget constraints that will follow, you need to recognize that security funding is in jeopardy. Before you leap headlong into an exercise in economic gymnastics and begin a quest to find ROI models that don’t exist, look for opportunities to implement better security controls while addressing the bottom line. As a start I laid out some projects that will make the CFO smile and have some impact on security as well.
1. And finally, realize that you probably won’t have the same job in 2012: So all you firewall jockeys and IDS/IPS admins who spent a career learning the ins and outs of ingress/egress traffic flows may want to take a college course on nursing, a field which will explode as all of the baby boomers inch their way towards the golden years.