I recently finished reading the book The Blind Side
Long Arms
A superstar NFL left tackle needs long arms. Arms (along with good hands) provide the frame for blocking and controlling a charging defender. A tackle's objective is to get his hooks in quickly and then use those arms to maintain contact and control through the entire play. In infosec, we need to do the same thing.
An effective security program will have long arms that hook into the business at strategic places. We need to maintain good contact with all key aspects of the organization, all the while helping to establish and maintain controls. Just as the tackle protects the quarterback's blind side, so the infosec program seeks to do the same for the business. In infosec, we extend these arms through a variety of methods, such as effective awareness training, outreach, assessment, audit, metrics and measurement, as well as through publishing and promoting security policies and by providing technical safeguards.
A Solid Base
Having long arms won't do a tackle any good if he doesn't also have a solid, powerful based. He needs to have immensely strong legs and wide hips that provide him the ability to settle in and keep the charging defender at bay. Similarly, infosec programs also need a solid base. Without proper support, the security program cannot be successful. It's vital that we seek out and receive backing from the business, executives, and all other parts of the organizations. We cannot afford to be seen as jack-booted thugs, but must instead strive to be an integral part of the team.
Along these same lines, it is imperative that work to build high-quality teams. This sector is very challenging, and as such requires intelligent, motivated, skilled people with a passion for the work. While there are some situations where security professionals can function with minimal soft skills, overall it is very important that we exercise self-discipline and restraint in interfacing with others in the organization. All of these attributes work together to help establish the security program as one of the cornerstones of the successful business foundation.
Quick Feet
Lastly, despite having long arms and a solid base, if the NFL left tackle doesn't have quick feet and agility, then he will not be successful. If the attacking defender can just run around him, then he's been little more than an annoyance. It is no different for security programs. If we cannot move with the business, instead of hindering it, then we will see the business running around us, avoiding our efforts, and invalidating our approach.
Never has this need for agility been more clear than now, what with the continued popularity of agile development approaches, and with the increasing momentum toward cloud-based solutions. We in security cannot afford to simply dig in our heels and hold the line. Instead, it is of the utmost importance that we have quick feet so that we can not only get those hooks in, but so that we can continue to readjust in order to maintain controls as the business moves. Remember: the only constant in life is change.
