• Sell security, don’t force-feed it.
Demonstrate to your organization that security adds value, as opposed to presenting security as a necessary burden. Detail the value of security in terms businesspeople can understand.
• Remember that security planning is neither an absolute science nor an ad hoc process.
Security planning is a process that must be constantly managed and optimized, hence it can never be regarded as “finished.” Help people in your organization understand that security planning is an ongoing activity, not something you do until you reach some ultimate solution.
• Achieve balance when planning.
Avoid the extreme practices of ultra-planning and nonplanning. A lack of focus is the enemy of security.
• Prioritize and focus your information and infrastructure security planning and budgets.
Regularly perform security risk and impact analyses.
• Create a cross-organizational security planning team with an executive mandate.
Manage the effectiveness of your security plan through a structured quality management process.
• Plan security within the context of business, life cycle management, and technology.
Security planners must understand the plethora of technology they are protecting, not simply the tools designed to protect it.
• Treat security policies, procedures, and training as the backbone of your security plan.
Take into account the specific needs of your organization, regularly look for opportunities to introduce needed training materials, policies, and procedures or to improve existing ones.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.