How NOT to Build a Security Program

| 1 Comment

Life sure can be a doozy of a thrill sometimes. And then there are those times when you try to swallow the elephant whole and you get smooshed. The trick, then seems to be in eating that elephant one bite at a time (neverminding just how odd that sounds). This is the lesson I've learned in the past few weeks. As such, a few brief missives on mistakes that I've made thus far in my quest to build a security program.

* You cannot do everything all at once. Seriously. It's just not rational or sane.
* Prioritization is a myth without understanding the business and its priorities. I cannot tell you what's right if you don't tell me what is important.
* Setting expectations is great, as long as that doesn't change every week. Yes, business and life are fluid and dynamic, but at some point you have to put a stake in the ground.
* When faced with limited resources (read: nearly every imaginable case) you should first find out what you can do with what you have before launching into a sob story about how poor little you needs some resources.
* Models, frameworks, and methodologies are wonderful things, at least until you try to implement them. My TEAM Model is great on paper, but I've realized that it's not quite right. So, on the side I'm trying to revise it. And write a book. And figure out risk management. And. And. And. (see first point above)
* Don't forget, you didn't (likely) just fall into this position. You probably actually have real and useful experience that you bring to the table. Don't, um, forget to, ya know, recall and use it.
* PCI is not a security program roadmap. Yes, I know that. But do they know that? Compliance can be a great driver, but let's make sure the bus has the right people onboard and is heading in the right direction.

I'm sure there are lots of other "lessons learned" missives to add here. What are yours?

This seemed oddly appropriate, though I'm using it completely in the wrong context. :)

Where The River River Bends Lyrics

by Matthew Barber

Tell me what you think, tell me what you feel
Is this thing a fake, or is it for real
Is it what you hoped for, what you dreamed
Is it something strange, that you never seen

Does it lift you up, closer to the light
Does it send you raging into the night
Where did it begin, will it ever end
Where the sun sets and the river bends

Where the river bends, is a place I've been
The water's not as blue, and the grass well it ain't so green
The current gets strong, it can pull you down
You gotta swim hard, if you want to turn around

But I don't want to go there, baby not with you
I'm happy right here, now I got a love that's true
So let's stay awhile, and invite our friends
No one needs to go where the river bends

No No No
No No No
No No No
No No No

I don't want to go there, baby ever again
I'm gonna be with you right here till the very end
So let's stay forever and ever and ever amen
No one needs to go where the river bends

No No No
No No No
No No No

1 Comment

"PCI is not a security program roadmap."

Need a good blog post on why not, please?

I am thinking of "why yes" post, BTW.

About this Entry

This page contains a single entry by Ben Tomhave published on June 17, 2009 9:10 PM.

Sometimes Changing the Problem Helps Solve the Problem was the previous entry in this blog.

Privacy Doghouse: City of Bozeman, MT is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7