• Sell security, don’t force-feed it.
Demonstrate to your organization that security adds value, as opposed to presenting security as a necessary burden. Detail the value of security in terms businesspeople can understand.
• Remember that security planning is neither an absolute science nor an ad hoc process.
Security planning is a process that must be constantly managed and optimized, hence it can never be regarded as “finished.” Help people in your organization understand that security planning is an ongoing activity, not something you do until you reach some ultimate solution.
• Achieve balance when planning.
Avoid the extreme practices of ultra-planning and nonplanning. A lack of focus is the enemy of security.
• Prioritize and focus your information and infrastructure security planning and budgets.
Regularly perform security risk and impact analyses.
• Create a cross-organizational security planning team with an executive mandate.
Manage the effectiveness of your security plan through a structured quality management process.
• Plan security within the context of business, life cycle management, and technology.
Security planners must understand the plethora of technology they are protecting, not simply the tools designed to protect it.
• Treat security policies, procedures, and training as the backbone of your security plan.
Take into account the specific needs of your organization, regularly look for opportunities to introduce needed training materials, policies, and procedures or to improve existing ones.
• Profile hackers and plan your interactions with them.
Understand that hackers have different motivations and try to anticipate which ones will be most attracted to your organization. Provide clear mechanisms that hackers or those who find security problems with your infrastructure can use to communicate with you should they choose to; for example, institute a very accessible email address on your website (e.g., security@your_company.com). Finally, train customer service staff so they know how to deal with hackers who contact them to point out a vulnerability.
• Build an incident response plan and team.
Practice your organization’s security strength by assessing its response to actual and simulated incidents.