Life sure can be a doozy of a thrill sometimes. And then there are those times when you try to swallow the elephant whole and you get smooshed. The trick, then seems to be in eating that elephant one bite at a time (neverminding just how odd that sounds). This is the lesson I've learned in the past few weeks. As such, a few brief missives on mistakes that I've made thus far in my quest to build a security program.
* You cannot do everything all at once. Seriously. It's just not rational or sane.
* Prioritization is a myth without understanding the business and its priorities. I cannot tell you what's right if you don't tell me what is important.
* Setting expectations is great, as long as that doesn't change every week. Yes, business and life are fluid and dynamic, but at some point you have to put a stake in the ground.
* When faced with limited resources (read: nearly every imaginable case) you should first find out what you can do with what you have before launching into a sob story about how poor little you needs some resources.
* Models, frameworks, and methodologies are wonderful things, at least until you try to implement them. My TEAM Model is great on paper, but I've realized that it's not quite right. So, on the side I'm trying to revise it. And write a book. And figure out risk management. And. And. And. (see first point above)
* Don't forget, you didn't (likely) just fall into this position. You probably actually have real and useful experience that you bring to the table. Don't, um, forget to, ya know, recall and use it.
* PCI is not a security program roadmap. Yes, I know that. But do they know that? Compliance can be a great driver, but let's make sure the bus has the right people onboard and is heading in the right direction.
I'm sure there are lots of other "lessons learned" missives to add here. What are yours?
This seemed oddly appropriate, though I'm using it completely in the wrong context. :)
Where The River River Bends LyricsTell me what you think, tell me what you feel
Is this thing a fake, or is it for real
Is it what you hoped for, what you dreamed
Is it something strange, that you never seenDoes it lift you up, closer to the light
Does it send you raging into the night
Where did it begin, will it ever end
Where the sun sets and the river bendsWhere the river bends, is a place I've been
The water's not as blue, and the grass well it ain't so green
The current gets strong, it can pull you down
You gotta swim hard, if you want to turn aroundBut I don't want to go there, baby not with you
I'm happy right here, now I got a love that's true
So let's stay awhile, and invite our friends
No one needs to go where the river bendsNo No No
No No No
No No No
No No NoI don't want to go there, baby ever again
I'm gonna be with you right here till the very end
So let's stay forever and ever and ever amen
No one needs to go where the river bendsNo No No
No No No
No No No
"PCI is not a security program roadmap."
Need a good blog post on why not, please?
I am thinking of "why yes" post, BTW.