As I sit here, on vacation, and a mere few hours from the year 2013 I wanted to spend some time looking back and then looking forward for how Information Security as a whole can collectively move forward in 2013. This won't be a post on prognostications, predictions or peering into a magic crystal ball ... I'll leave that up to those who like to guess. From the last year of conversations, observed behavior, and experience with enterprises and the community these are the resolutions I believe we collectively should be making.
- Listen better - For 2013 I believe we need to all listen more, and talk less. Applies to enterprise information security it's simple - take the time to listen to the enterprise and get to know what they're actually saying. Let the words sink in, understand the purpose of what they're trying to accomplish before responding. We could all be better listeners, and I'm in need of this as much as you are. Too often we see someone talking and formulate in our heads what they're saying without actually listening to their words and meaning - then respond to what we think we heard. Don't let this continue into 2013... take the time to listen better.
- Talk TO, not AT your audience - There is a subtle but massive difference between talking at and talking to someone. Talking to someone seeks to engage them in the conversation and has a focus on feedback and constructive conversation... we should be striving for this in information security and in our everyday lives. Talking at someone often means just speaking your mind without regard for what someone else has to say. Too much of this ... in the community, in the industry, and in the enterprise. This is often the root of why people have such violent disagreements when they're really arguing different points, sometimes on different perspectives but they can't be bothered to listen to the other's response before enforcing theirs on them. Whether you're presenting to a conference audience, speaking with someone in your enterprise day job, or in the rest of life - talk to people, not at them.
- Give more, demand less - Recall the last meeting you went into with 'the business'. Now recall the way the meeting went ... did you go in with a list of things you needed them to do? Was there a list of 'demands' for the App Dev team that you were going to enforce before they were allowed to push their application live? If you're honest with yourself I suspect a large number of you will recall that list either mental or real ... and realize that you were there to demand something and give nothing. Information Security is about compromise, in many ways, but we need to give to our customers (which is often our internal business) at least as much as we're demanding they give. If you're struggling with a software development organization consistently trying to push poor quality code, while giving them the same demands every cycle ... maybe it's your fault? Maybe you're not giving enough guidance and effort and simply demanding too much?
- Strengthen your foundation - I've said it in various ways, but the bottom line is before you go after purchasing the next APT Defender Pro gizmo, make sure you're confident in your foundational pieces of good IT. Change management, identity and access management, asset management - these are some of the foundational principles that often times are half-done projects in the back of the Enterprise Security closet. If you've tried to implement a NAC solution without having a solid understanding of your user base you know what I'm talking about. Not to discount the very serious advanced and ever-evolving threats to your enterprise out there - because they're real - but if you don't know who your users are and what they should be doing ... what good are the other add-ons to that? As you build your security stack, take the time this year to re-visit the very bottom and make dang sure you are comfortable with the foundation.
- Remember your purpose - While many of you out there are blessed with the opportunity to simply 'break' for a living, the other 90%+ of you are in enterprise defense mode. Remember why you're employed - the answer is not "to do security".... it's just not that simple. As Chris Nickerson so aptly put it at InfoSec World earlier this year (paraphrasing) "If you don't know what your company does and how, you should be fired." A CIO at GE Consumer Finance RCF once told me "If IT goes away I can still do business, not well but I can still do business. If the business goes away you disappear too. Remember who you serve." This was a stark realization for me, the hot-headed InfoSec guy who was freaking out over some things I perceived were big enough to halt business release of a project ... clearly I was wrong. Remember your purpose - and that purpose starts with understanding and enabling your enterprise do do what it does.
I'm resolving to do the same things here... because they're important enough, and I'm not immune to making these mistakes. We could all use a little time to put the ego away, and take a deep breath. Luckily the holiday break gives many of us time away from work, and more time with family and the things that matter which can often give us some profound perspective we lose as we work those 60+ hour weeks, or accumulate 150k+ miles cris-crossing the globe.
I would like to wish everyone out there a happy, productive, prosperous and focused 2013. Remember your priorities... and I will leave you with a quote that a good friend of mine recently reminded me of... "Pride goes before destruction. (ref)"