FRAMINGHAM, MA, US, DECEMBER 15, 2009On a good day, the cybersecurity profession can be rough on the mind and body. There's no shortage of IT security practitioners who've developed prickly dispositions during an endless battle with upper management over policy and fundingnot to mention employees whose computing habits put the company in danger every day.
But there's no need to feel like a slave to the grind. Just ask Mike Rothman, Security Incite president and principal analyst. Rothman has been around the block more than once, working for such companies as TruSecure, CipherTrust and now eIQnetworks. He's butted heads with upper management and been fired more than once. Along the way, he's learned to be happy in his profession despite the challenges.
He's been traveling to different security organisations of late, giving a presentation on the subject called "The Pursuit of Security Happyness." (As in the movie, the last word is deliberately misspelled). In a recent interview, he outlined seven keys to finding it.
1. Accepting that we can't win
Let's face it: No matter how many hours you spend in your IT shop and no matter how big your security budget and level of upper-management buy-in, the bad guys are always going to be three steps ahead of you. It's also inevitable that credit won't be given when there's no attack, and blame will certainly be forthcoming in the event of a data breach. Rothman's advice is to lay out a clear definition for success that accounts for these pesky realities and just do the best you can. Remember that the CEO may define career success, but YOU define personal success. If the resources, funding and upper-management commitment are enough to give you a shot at achieving personal success, roll with it.
2. Focus only on what you CAN control
No matter how hard you try, there will always be things you can't control: senior management, budget, user stupidity, IT operational challenges, DBA "dimwits," as Rothman calls them, office politics, business partners, auditors and regulations. The good news is that there are things you CAN control: policies, security awareness, monitoring that enables a quicker response to sinister activity (see the third key), incident response, communications, and how to respond to those "dimwits."
3. Look for NOT normal
As Rothman noted earlier, the bad guys are always a few steps ahead and soft targets are all around us. For example, with botnets everywhere, DDoS attacks are getting cheaper. And no matter how much security awareness training employees have, there will always be one or two people who fall for phishing schemes anyway. This being the case, Rothman recommends IT shops make the most of monitoring tools. The more you monitor systems for unusual activity, the better the chances of stopping a data thief.
Sign up for Computerworld eNewsletters.