information security management is almost similar to every other thing that is Subject to Management, or requires management, and I am not going to explain why we need a management function in a system to make sure system is running and functioning as expected, at least not in this article.
by similarity, I mean there is no particular attribute of “information” that can make managing it significantly different then any other subject. perhaps the pace of information systems are flow of data in the is faster than most other systems, but that is also not what I want to focus on at the moment.
I want to simply go back to “basics of management” and bring this fact to your attention that most of managers do not have right techniques to manage their resources. simply, that is the reason that most of us are not happy with many systems around us. we don’t think company xyz is doing a good job to take care of their customers, us. we think company zyx could deliver the service or good faster…so basically things are not being managed in right way in those companies. I know it seems so obvious, but what is the root cause, we always say good manager and bad manager but what differentiates good and bad management?
I have to say that the main factor is “luck”. I am not joking, managers decide spontaneously, on the spot and based on things which are not under their control, so you see they just react to each event or challenge in an isolated manner and literally are not able to have a holistic understanding of their challenges.
in infosec management this results in incidents, malware outbreaks, lack of adequate backup, frustrated end-users, too tight security controls, so loose controls…you name it, and just because they tend to decide based on “nothing”, or based on “emotions”, or…decisions are simply irrational and result is resources are always lacking, we are always behind, juggling turns to a normal accepted strategy, it actually turns to a norm for manager to say we do not have enough resources and they simply ignore deadlines.
management requires techniques, objectives and methodologies and based on those we decide how to deal with a situation, how to Start and Finish a Project and how to make sure Resources are aligned. these Techniques are not complicated and in fact you won’t need any Tool to execute them, they could be organically grown in any unique environment, the only thing they require is a Manager who understand the need to a mechanism for his/her decisions.
bottom line, managing is an art and requires techniques for decision making, it is not just a title that they give someone which give immediate authority, it is a matter of understanding what you have and what you are trying to accomplish. seems obvious to you? what is your technique to make sure all your projects are going to finish by deadlines? are you one of those managers that their best technique is to gather their team and with a deep serious tone say: folks, we have finish this and that by next week…and criticize or fire someone who was not able to accomplish something impossible due to lack of his/her manager basic understanding of Management is not just assigning people to tasks with no consideration of all the elements they are facing with?
in information security management, lack of fundamentals techniques of the task (managing) ends us up with malware infection, unauthorized information disclosure, vulnerable software,…bunch of started and unfinished projects and initiatives without any possible solution for anybody to fix.