Security Experts:

Keeping Your Security Strategy on Track Amidst Tactical Distractions

“Goodbye to Rosie, the queen of Corona” - Paul Simon, Me and Julio Down by the Schoolyard

For obvious reasons, the Coronavirus (COVID-19) has dominated news cycles, concerned governments, and inundated public health organizations. In addition to these organizations and many others, information security teams find themselves quite busy dealing with this pandemic as well. Business continuity, supply chain risk, and remote access, among other topics, have come to the forefront as security challenges that the business must deal with.

As a global pandemic, there is no shortage of attention being paid to the Coronavirus. In this article, I’d like to learn a different lesson from this example.  

The buzz around this virus is the quintessential example of day-to-day challenges usurping the security organization’s strategic path. I’m not downplaying or ridiculing the seriousness of the Coronavirus. Rather, I’ve been observing how it has consumed security professionals at the expense of their other day-to-day activities. Those very activities were, up until a few weeks ago, of the highest priority. Now, however, they are a distant memory.

Given the challenge that the pull of current events presents to the strategic path of a security organization, what are some ways in which the organization can help itself stay on track? It is in this spirit that I offer ten ways to keep strategy on track amidst tactical distractions.

1) This too shall pass:  Take a deep breath.  Remember that no matter how pressing and urgent a crisis seems, it will eventually end.  Stay calm, cool, and collected and try to apply logic and reason wherever and whenever possible.  In the end, you and your team will weather the storm far better than someone who let their emotions get the better of them.

2) The show must go on: No matter what comes your way, it’s still your job to protect and defend your organization from attack and unnecessary risk.  While the emergency du jour may be grabbing headlines and attention, it isn’t the only risk your organization faces.  Whatever has grabbed everyone’s attention won’t stop the attackers from attacking in the manner they always do. Keep security operating.

3) Re-prioritize: Presumably, you prioritize your goals against your available resources (time, funding, and staff) periodically.  When a high profile event hits, you simply need to run through the same exercise again.  This time, there will be less resources available to address those same goals.  So, make sure that you’re addressing those goals that are of the utmost importance.  Note that this may involve reassigning some staff to different tasks than they were originally working on.

4) Remember risk: When a crisis consumes us, there is a tendency to portray it as if it is the only risk we face.  But, no matter how clean your hands are, if you don’t look both ways before crossing the street, you can still get hit by a bus.  In other words, even if you take all necessary precautions around a given hot topic, there are still many other ways in which your organization can be exposed to risk and damage.  It’s important to understand the impact of today’s hot topic within your overall risk picture.

5) Keep everything in proportion: Maybe you’re on conference calls 12 hours per day for the foreseeable future.  Perhaps several members of your team have been completely diverted from what they should be working on.  Maybe you’re questioning why you got into this business in the first place.  Take a step back and look around.  It’s not that bad.  You still have a reasonably good life, a decent job, and hopefully people around you who care about your well-being.  In the grand scheme of things, what you’re in the midst of is a blip on the radar.  In ten years, you’ll likely laugh about whatever’s got your attention.

6) Keep your focus in the right place:  Crisis or not, there will always be distractions, professionally and personally.  It is all too easy to get off course and lose focus on what’s truly important.  Don’t let this happen to you.  Remember your priorities and focus on risk.  That will keep you on track no matter which distractions come your way.

7) Don’t let something consume you:  If you need to deal with an issue, deal with it.  Make a plan and execute in accordance with that plan.  You’ll likely need to carry on with other matters in parallel, and you should.  Get used to operating with something big hovering over you.

8) Other people’s crises:  Many security professionals want to help wherever they can. When you have your own crisis to deal with, make sure you prioritize it, along with other important work you need your team working on. Resist the temptation to get involved in everything that comes across your desk.

9) Someone else’s poor planning:  It’s important to learn how to differentiate between a real crisis and a manufactured one that is the result of someone else’s poor planning.  A real crisis deserves a quick response.  A manufactured crisis necessitates a lesson in better planning.

10) Remember to laugh:  A splash of laughter goes a long way towards making work (and life in general) much easier.  True, a critical situation isn’t one to be taken lightly, and I would never advocate doing so.  That being said, it’s okay to laugh now and again to relax, relieve tension, and help keep morale up.  Wearing a smile and keeping the mood light doesn’t mean that you aren’t taking the situation seriously.  In fact, it usually means you’ll handle it far better.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.