Saturday morning I was up and out the door early for a long run before the heat set in too much. As I was running I was thinking to myself, “Gosh, having a good exercise routine is kind of like having a good information security program.” I had lots of time to ponder this particular issue, as my iPod was unfortunately not charged and I had no one to talk to. Here are a few things I thought of that make exercise and security so alike.
1) Set goals: Both in exercise and in information security, it is good to set goals. For example, before I can write up a training plan for myself, I need to know what race I’m training for, and what my target pace is. Similarly, before I can write up my information security plan, I need to know what information I need to protect and how much protection I need (is this credit card data, or is it records of what color paint my store sold last year?)
2) Stick to the plan: Sometimes on Saturday morning at 6 a.m. I don’t really want to go for a run, but I know that the only way to reach my goal is to throw my legs over the side of the bed and stand up. I also know that the best infosec plan in the world does no good if it doesn’t get followed. It may not be fun to conduct that periodic audit again, and it may be frustrating to have to patch those darn servers in the middle of the night so you don’t impact the production systems, but you’ve got to do it. A plan in a drawer is no plan at all!
3) Make the plan doable: I could probably run my race a lot faster if I was willing to quit my job and train full time, but that’s just not practical. I need to keep perspective on the rest of my life and make the plan something that I can accomplish. The same is true for the security plan. It’s not reasonable to expect your team to install each and every patch within 24 hours of release. Save that extreme stuff for the really critical items that only come up once in a while. Be reasonable, and you’ll make everyone’s life easier. No one wants a security approach that flies in the face of usability. But there are some things that just can’t slip – and make sure you know what those are. Passwords, for example: I know it’s easier to remember five-letter passwords with no complexity requirements, but if you let that happen, you may as well forget the rest of the plan.
4) Celebrate your successes: I run with a group twice a week, and the coach keeps track of our times throughout the season(s). When I hit a personal record, she knows it and we celebrate the accomplishment. Do the same thing with security! Did your annual assessment just come back with 20% fewer recommendations? Did you just pass a penetration test with flying colors? Great! Celebrate! There’s always another mitigation recommendation you can implement, but don’t forget you’ve done many already, and congratulate yourself on a job well done.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment