As I've traveled across the country, I've often been asked the same question: What's the 2008 key to success as a security leader? From Seattle, Washington to Novi, Michigan, from big state leaders to small county CIOs, people are feeling overwhelmed and under-staffed when faced with mounting security threats. What's to be done?
We've all felt it. The botnets, application attacks, never-ending number of vulnerabilities, new applications with problems and personnel risks wear us down and seem overwhelming. The problems are too big for any one person or company to handle - even if you have a good security team. I've even talked to a few really good pros who are thinking about getting out of IT security because they've had enough.
No, I don't have all the answers, but I'll mention some of the things I've told these friends and colleagues. First and foremost, IT security must be a team effort to suceed. We need to surround ourselves with people and groups that can help - both inside and outside our organizations. We need even more partnerships.
This may seem obvious, but I've lost count of the number of people I've met who have never heard of the US CERT or their state's Informations Sharing & Analysis Center (ISAC). If this is you and you're in government, start with the MS-ISAC portal. Others have never heard of NIST's great website or InfraGard in their area. Most security staff have heard of SANS training, but many don't know about their storm center or their free reading room.
Even more important than knowing about good web resources is having good relationships with vendors who can really help, and colleagues around the country who you can talk to in a pinch. All of this is easy to blog about, but takes time and energy to effectively develop. The payback can be immediate or may take months or years. In my opinion, this is also what makes the job fun and interesting. Hearing stories from others and helping in different circumstances is healthy and always reaps rewards.
In Michigan, we just released a new version of our Michigan IT Strategic Plan. Our plan's six main themes include: Access, Service, IT Management, Great Workplace, Cross-Boundary, and Innovation. (Yes, we have a detailed appendix on cyber security plans. )
Although we've done quite a bit in the collaboration area already, we realize that we still have a ways to go. The cross-boundary opportunities are immense across evey business area in state government and IT needs to help lead the way. Security can truly be an enabler - IF we spread that message. Breaking through old "turf wars" and doing more cross-boundary can save big dollars and enhance cyber security.
I don't want to sound preachy, but security on an island will fail. The Internet is too global and complex. Our web business challenges aren't as unique as many believe. The attacks we are facing are coming from everywhere, and the bad guys will get on your island - if you don't get help.
The criminals are collaborating, so we need to as well. We're all in this security battle together.
