There’s so much fear, uncertainty and doubt in the information security world today that many people have become pessimistic about the possibility of keeping all of the bad stuff that’s out there out of our systems and networks, or at least detecting it in time to eradicate it before any great harm is done. I’m not one of them. I believe that with the right mix of attitude and aptitude, building a secure enterprise is within anyone’s grasp. Will the security be perfect? Of course not. But I think it will be capable of meeting the challenges faced in today’s threat environment.
Not that I want to sound cocky. In fact, I always find it a good idea to refer to one of my favorite quotes: “There ain’t a horse that can’t be rode, and there ain’t a man that can’t be throwed.” Nonetheless, I am confident that truly effective information security programs can exist. In fact, I’ve seen some of them. Not a lot of them, it’s true, but their very existence suggests that more organizations can join them. I’ve reviewed hundreds of information security organizations over the years. The vast majority were mediocre at best, but every once in a while, one comes along that restores my faith in the art of the possible. I encountered one recently, in fact. Let me tell you about it and certain attributes that make it stand out.