Jim’s Security One Liners
A Perspective, not THE Perspective
- Safety is different than Security, you have to do BOTH to help people FEEL safe. (Mike Rowe got it right about Safety Third)
- All, in every language means All
- Enterprise(-wde) is EVERYTHING under CEO (Study the Directory of Companies)
- Secure is different than compliant
- Figure out your “Grandma Story” or Security will be very frustrating
- Honor the ones before you, never stop learning from them and certifications and your network
- Security Professional’s priority every day, when your feet hit the floor, is to operate with absolute integrity, I’ve investigated security peers, it’s miserable
- A brand has unbelievable power over suppliers, but treat their CSO/CISO with respect.
- Security will never be centralized in most organizations (Anyone remember the Who’s Who chart)
- There are very few true policies in an organization that are enforceable to the level of fire’able offense. If it’s not a written, signed Policy, stop calling it “policy”, it’s not the “hammer” that will help you, its relationships that fixes stuff.
- Before you start a security task/project/analytic/case, make sure your audience is ready for the answer. Know when to stop.
- If you don’t know the size of the pie chart, enterprise-wide+”all”?, your metrics/KPIs won’t move the “more secure” needle
- Getting a “Seat at the Table” is hard and expensive, but is the best Security ROI.
- Security Teams, want a “seat-at-the-table”, become a servant to other people at the table
- Never ever be afraid to call the Ethics Line, they are an amazing group of people. I had my challenges with some of their answers over 28 years of calling/writing, but I respected them more than any other group.
- Domestic and International culture should be the first class for all security newbies and renewed every year.
- The size of the pie chart for supplier risk is the number of suppliers that increase your risk, not just the number you have under contract or pay directly.
- Start measuring security until it scares you, I gifted you a book as a starting point, read the head fake, it was written to make your organization better. If the senior leadership and board aren’t REALLY freaking out about security, you have failed in your metrics program. Stop measuring by stupid business unit names, measuring by org chart names, business units NEVER funded or fixed a security problem, HUMANS did
- Supplier Security Questionnaires are answered with answers that: What the Supplier BELIEVES is the answer, but hasn’t verified it OR What the Supplier wants you to hear/read to hopefully “move on”. Stop using these things, just show up and ask GREAT questions.
- Risk Assessment – If you aren’t doing the ENTIRE formula a risk assessment, STOP calling it that
- Security vendors/suppliers/manufacturers rarely have carrier-class solutions, some barely have enterprise-class solutions. Some will want to learn from you, some won’t and still make horrible claims and people will still buy. Be tough on security vendor’s marketing departments!
- Care (Thank you Susan Menaker)
- Have Fun, Leave a “calling card” – TIAT, Kilroy Was Here, Lab Attack
Religious Product News Article