It was interesting to speak to people who are starting on their journey into the world of information security and to point out some of the challenges they face.
One of the key skills I highlighted to them that they will need is to be able to clearly communicate to management the risks certain activities will bring to the organisation and what security controls would need to be put in place to manage those risks. This also means being able to accept that management may not always agree or understand what you are trying to tell them. Which in turn will mean that you will not always get the approval to implement all the changes that you want to put in place.
The key skill to develop therefore is to understand what the important controls are that you need to implement and those that may not be so important. As criminals prefer to take the easiest option, (after all that is why they make their living from crime and not from hard work), making your systems that little bit harder to break into than those of your neighbours may be all that you need to do. So in the majority of cases that means that most of us simply need to ensure that we can protect our systems from the automated and less sophisticated attacks that are out there.
It reminds me of the classic joke from Billy Connolly about the two camera men filming a lion. The lion sees the two camera men and proceeds to chase after them. One camera man stops and puts on a pair of running shoes. His colleague tells him “You will never outrun the lion in those”. He replied, “I don’t need to outrun the lion, I just need to outrun you!!”.
So remember, you don’t always need to outrun the lion, just outrun the rest of the menu.