I've been in my present role of Information Security Director for a year. It's a good time to reflect on some of the lessons learnt over the previous twelve months, and here are ten things that I'll share with you.
1. Never assume anything. The first rule is: if you don't check then it hasn't been done.
2. If you are communicating with individuals across five different continents then expect the same message to be interpreted in five different ways.
3. You have two ears and one mouth so talk half as much as you listen.
4. What you know about security is often less important than how you communicate the messages. Know your audience and present information they want it - not how you think they want it.
5. Learn the business. The security program will not take hold if there isn't an understanding of the nuances that are unique to the business that you work for.
6. Accept that what might be the "right way" according to the book is not necessarily the right way for the organisation.
7. Keep your word. Don't make idle promises - always follow through.
8. You cannot get done everything that needs to be done. Learn to prioritise and deal with the highest risks first.
9. Always discuss risks locally before you share the information globally.
10. Keep on enjoying the job. Information Security is a challenging, rewarding, and interesting career path. Retain that interest in the subject and the rest is easy no matter how difficult or frustrating the job in hand might seem.