Analyze this. Vince Lombardi is coaching the Packers in the Super Bowl. There are 2 seconds left in the game, with the Packers behind, 30-27, on the opposing teams 40-yard line. With time for one play, should the Packers attempt a tie with a field goal or go for a touchdown?
Lombardi could do one of two things: Consult a statistician to determine what other football coaches have done in similar situations, then choose the option the other coaches chose most often; or make his own decision, based on his understanding of his players, the opposing teams strengths and weaknesses, input from his coaches, and myriad other details.
Lombardi, clearly, would have made his own decision. When it comes to information security, though, many CIOs and chief information security officers would follow the first scenario, known in the industry as information security best practices.
Best practices, however, are inherently problematic. They often dont work consistently for all organizations. Companies may justifiably deploy systems differently to conform to their cultures and their needs. Force-fitting one companys practices onto another doesnt work.
Best practices are often little more than a feel-good exercise, an attempt to show senior management that an IT manager is keeping up with the Joneses.
Best practices look at what everyone else is doing, crunch numbers—and come up with what everyone else is doing. Using the same method, one would conclude that best practices for nutrition mandates a diet high in fat, cholesterol and sugar, with the average male being 35 pounds overweight.
A call for leadership
Whats needed to go beyond best practices and into the realm of effective, proactive security? Leadership.
The CIO or CISO must have a clear vision and the boldness to pursue it. He or she must have the aptitude to lead and real power to implement meaningful change, which requires the trust and support of senior management.
The key is to have Vince Lombardis experience and skill before making decisions. By the time he was a head coach, Lombardi wasnt following football best practices, but he created practices that many others tried to emulate.
If Lombardi were a CIO or CISO today, he would be relentless in pursuing quality; excellence; the understanding of risk; and the execution of a workable, realistic, pragmatic security strategy. CIOs and CISOs today cant find a better role model.
Ben Rothke is a New York-based security consultant with ThruPoint Inc., a global IT consultancy. McGraw-Hill has just published his book, “Computer Security: 20 Things Every Employee Should Know.” Rothke can be reached at [email protected] Free Spectrum is a forum for the IT community. Please send your comments and submissions to [email protected]