Strategy and the business

Today it’s time for my annual information security strategy review. Some of the activities discussed the last time around are now considered to be business as usual – that’s a big tick in the right box so far as I am concerned especially as those activities include things considered almost to be new initiatives last year when I first came into this role: network vulnerability testing, patch management and PCI compliance amongst other things.

That means I’m much more available now to focus on making information security more transparent. I’m disturbed by reports recently in the press which state that IT security fears are seen as stifling innovation within organisations (see story here). This does not need to the case and I personally want to be much more engaged within the business looking for solutions rather than creating problems.

An old sage in the industry once commented to me that you shouldn’t expect to be popular if you’re working in security. I think he actually enjoyed being awkward and saying “no.” I have a different approach: I think it’s much more important to build relationships and find out what you can do to help projects succeed. Superior products need superior security!