Wednesday, April 27, 2016

Baby Steps to Better: In Life and Information Security



How do you eat an elephant? That is a question often asked in my house when someone is presented with a difficult, time-consuming task. It is usually answered by one of my children mumbling “one bite at a time” under their breath as they head off to clean their room, dragging their feet as they go.
This simple concept is one that can be applied to all of life’s tasks, but today I will expand on its applicability to the field of information security.

Anyone in the information security industry will claim that accomplishing a completely secure environment is certainly a task that is virtually unattainable. In case you haven’t picked up on it thus far, the elephant in this room is risk.

When it comes to securing our information systems and protecting their associated business capabilities, we will never be able to eat the entire elephant, no matter how much money, time, and people we put toward the endeavor. As security professionals, our job today is to keep taking bites, for no other reason than that in doing so, there will be a little less elephant to deal with tomorrow.

The “baby steps to better” approach is probably the best effort that we can hope to achieve when it comes to making our systems and environments as secure as possible. We are charged with asking and answering the question – What can I do today that will make my organization a little bit more secure tomorrow? There is no way that we will be able to address all of the risk in a short amount of time (or any amount of time, for that matter), since budgetary constraints and an ever-evolving landscape limit the playing field.

As someone said on the latest episode of Paul's Security Weekly, security is not a sprint or a marathon, but an endless loop of assessment and mitigation.


Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.