Journey to Shangri-La : Feeling Successful in IT Security and Compliance

Living in the world of IT Security can be challenging and often discouraging, if we don’t manage to keep a good perspective. It sometimes feels like we are doing are best, crossing our fingers and hoping that the next issue or incident doesn’t color our months or years of effort as failure. It can often be very difficult, across a large organization, to specifically identify how good things are (i.e., security posture) or how many incidents/breaches were avoided, blocked, or mitigated. Actual impact to the business can be somewhat objectively analyzed, with sufficient time and effort,?after something occurs. But it is quite another thing to know definitively?ahead of time?what will be the reality of the impact of a breach, and we certainly can’t specifically know, the impact of the [as yet] unknown.?IT Security?can certainly be a daunting area to work in, with large expectations pitted against limited resources, satisfaction for a job well done can be difficult to come by.?

So, what are?IT professionals?to do? What is a healthy perspective here? As I was putting together some content for the new year it occurred to me that I should include some exploration of what “success” is. Not so much the individual “todos” and milestones, though they are very important, but overall success. Every enterprise is at its own unique stage of the security and compliance journey, a maturity level if you will. Naturally, the typical enterprise also has tactical and strategic goals for their various work-streams. Year after year, this can feel like a never-ending cycle and yes, in some ways that will always be true. We know we are never?completely?done and must continue to evolve, react, review, and then iteratively enhance to be effective long term. With such a vicious cycle what would ultimate success look like, or even feel like? When would we be able to look across the breadth of what we have done, across the domain of IT security and compliance, and get a little “misty eyed”, because that world is conquered (paraphrasing from the?Alexander the Great related?quote) [1]? This would be to reach a place of sufficient maturity in all aspects that going forward it would only require “business-as-usual”, iterative adjustments, to keep things in great working order.?

The above content was not a tease. This is not one of those streaming documentaries that hooked you with trailers that made it appear that the answer would be provided at some point in the show. I love mysteries, but I also love getting to the answers. The section below represents a view of what overall success might look like in an enterprise IT organization, with regards to?security and compliance. You may not agree with the specific items, but hopefully there will be recognition of the value of such an exercise and its socialization within an organization. It would be great to see feedback in the comments on where you stand on the premise of the article and what your description of overall success might be.?

Since I liken our IT security initiatives to a journey with many important destinations along the way, I’m reminded of the documentaries I’ve been watching recently about mountain climbing. The amazing achievements of those who are in the “Seven Summits” club or climbers who have summited all fourteen mountains over 8,000 meters. For climbers setting a goal of reaching the peak of the highest mountains on each continent (7 Summits), or getting to the top of all the 8Km mountains, it is a journey and each peak is an important accomplishment along the way. Here is a view of the “Eleven Summits” for overall success in?IT Security and Compliance.?

• Providing a framework and ecosystem that facilitates and maintains continuous security and compliance, at the appropriate thresholds, positioned to respond effectively, embracing iterative refinements, and properly managing risk to the business
• Seamless integration and provisioning across systems and the management components?
• Support for the main computing platforms/systems utilized in the enterprise
• Integration with other, necessary, and important, data sources and applications
• Pervasive automation that underpins and overlays the IT infrastructure and systems
• ?Relevant, easily consumable, APIs to the security and compliance infrastructure
• Instrumentation of the key metrics for all the supported components
• Flexible and sophisticated, yet easy to consume, portals and reporting, for all key stakeholders
• Streamlined and optimized, notifications and escalations
• Stakeholders that are sufficiently knowledgeable, trained, and “aware”?
• Sufficiently controlling the burden of IT management related to security and compliance

Whether you are in the early stages of such a journey or you have reached the mythical Shangri-La of?ultimate success,?I believe we must, as the line from the 80s song by Triumph goes, “fight the good fight every moment” [2][3]. IT security is important. Those involved should take pride in the good work being done every day and know that it is valuable and appreciated by many. Take satisfaction in the journey and the key achievements along the way, as you strive for that, overall success.

Disclaimer:

Boring Disclaimer: These thoughts are my own and I am not posting as a representative of any company. Your mileage may vary. Objects in mirrors and binoculars may be scarier than they appear (or they might not). If this had been an actual emergency, you and I would likely be doing something more important

References:

[1]?"When Alexander saw the breadth of his domain, he wept for there were no more worlds to conquer" - Plutarch, https://www.goodreads.com/quotes/526796-when-alexander-saw-the-breadth-of-his-domain-he-wept

[2] Shangri-La – fictional place described in the 1933 novel, “Lost Horizon” by James Hilton, ASIN: B007JCZGOC, https://en.wikipedia.org/wiki/Shangri-La

[3] Triumph, “Fight the Good Fight”. Allied Forces, Round Hill?Records, 1981

[4] Mount Everest in autumn image attributed to: Photo?60234084 ???Helena Bilkova ?|?Dreamstime.com