Information Security Blog

Odd the connections that our minds make.

As I was reading an email from Verne Harnish the author of “Mastering the Rockefeller Habits”, a quote by a very successful business owner who uses the system really struck me on multiple levels (including running an Information Security Management System),  “Routine sets you free …”

For some reason I tend to view the definition of many, many words as their connotation (subjective cultural or emotional meaning) rather than their denotation (literal meaning).  I have spent the vast majority of my adolescent and adult life looking to shun the “routine”.  To me routine meant rote, mechanical, a grind or a rut.  I preferred to view myself as being spontaneous, creative, and free flowing.

Oddly, my role as an information security auditor has changed the way I look at the word routine. I’m not sure if my connotation has shifted or if I’m now using the denotation, but I am increasingly looking at routine as being more positive in nature (e.g., structured approach, purposeful) and spontaneous as being more negative in nature (e.g., unplanned, improvised, ad-hoc).  More interesting to me is that the perceived “restrictions” of routine and the “freedom” associated with spontaneity are too often just that, perception — and worse a mistaken one.  Following routines positions you to address the basics in a consistent and structured manner that provides you the freedom to be creative and strategic with the less fundamental.  To the contrary, spontaneity often leads to an ad-hoc approach that results in oversights. These can cause challenges requiring extraordinary efforts to remediate as well as challenges in executing on the basics, directly preventing the spontaneity that you are seeking.

From an information security perspective, I think many of our clients share my former thought process.  Mention following a formula (e.g., a back to basics approach that includes log reviews, an SDLC, Risk Management) and you get glazed eyes and a level of disinterest only rivaled by vegans at an all you can eat barbecue.  Mention a “silver bullet” shiny appliance that is this year’s solution to the words “information security challenges” and they are fully on-board.

So I find myself a “routine evangelist”, preaching to the masses to see the light and understand that it is only through a logical, structured and (yes) routine approach that you can simplify the complexities of information security.

I would argue that the “truth” is out there (e.g., NIST, ISO 27001, ISO 27002, HITRUST, OWASP, COBIT, ITIL) when you’re ready for it (a purely unintentional X-Files reference).

For me personally, the last 5 years or so have been rewarding as I continue to evolve my connotation of “routine” from a very negative one to a very positive one.  I only wish that I would have been smart enough to have not waited so long!

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information