The following is a guest post from Kevin Beaver. See all of Kevin’s guest writing here.
Thomas Edison once said that many of life's failures are experienced by people who did not realize how close they were to success when they gave up. Thinking about this in the context of security, the success that you're looking for could just be a day's worth of work away. Or, maybe just a few weeks’ worth. But how do you know? Will you be able to figure that out without falling into the trap of giving up too soon?
When it comes to reaching a greater level of security, many barriers are self-imposed. It's sometimes just a state of mind that you can't accomplish this or that in order to maximize your security posture. I see a lot of people who basically throw up their arms in defeat because they're not getting what they want or what they assume they need. And there always seems to be an excuse for why things cannot be accomplished:
- Lack of buy-in
- Lack of budget
- Users who keep making mistakes
- Auditors and others armed with those dreaded security questionnaires taking up all your time
The opportunities for distraction are endless. You must decide whether or not you are going to keep pushing through to make things work for you or whether you are going to let these roadblocks get in your way and work against you. Improvement or mediocrity: It’s really a choice.
In security, there's always more that can be done. More patching. Better user awareness and training. More—and better—vulnerability management and penetration testing. More network visibility. More involvement with the business. Better relationships. The important thing is that you keep putting in the work and moving forward. Contrary to widespread belief, security is not a one-time state. Nor is it a destination. Instead, it's set of processes that, when well-thought-out and properly executed, will help you create and maintain a successful journey down the proper path.
Figure out what it is that you need to do to make this happen. First off, stop striving for perfection. That state doesn't exist in IT and it's not a helpful mindset to be getting on with. Rather than having a list of many things to focus on, find out what one thing could help you out more than anything else. It likely has to do with people, politics, or processes in and around IT. Once you shore up your shortcomings and establish a cadence and momentum, you'll realize just how close you were to attaining that reasonable state of security your business needs. Aim high but focus on that small set of trivial things that can make the biggest difference.