Computer Security is full of experts… Steve Riley, Jesper Johansson, Michael Howard, Bruce Schneier, Window Snyder, Thor Larholm, the list goes on and on. [Sorry if I didn’t include your favourite expert, or if you disagree with my list – there’s at least one name on there whose comments I frequently disagree with.]
Do you have experts in your security department? Good, because you do need them – but you can’t, shouldn’t, mustn’t, rely on them as your entire defence against the wide world of evil.
Your company’s IT security should operate largely without their involvement, because you should have processes in place to operate your company’s security.
Experts, even the really clever ones, make mistakes from time to time, they leave, they die, they get caught up in ego wars, and you should manage their contributions on the basis that they are transitory.
Use them while you have them, because they are the foundation of your security – they are the key human element that makes your IT security better than a simple installation of the latest 3-pack of firewall, anti-virus and anti-spyware that you pick up with a rebate at the small computer store that sprang up in the ashes of CompUSA.
But if you’re not using these experts to analyse your IT and design new processes, then you will gain no permanent benefit from their presence, and when they leave, you’ll have to find another to replace them as quickly as possible.
[The process I’m partial to is a direct feedback loop. The guy with the job – and ability – to fix the problem, is the guy who deals with those who experience the problem. It’s not always possible or appropriate, of course, because very often that results in fire-fighting exercises. At some point, you have to stop fighting fires long enough to build a fire engine, and to tell the engineers to stop building things out of wood.]
Build processes that last, and use your experienced staff to build them – but not to operate them. Your best process will be one that can be operated by someone the first day they’re on the job, and that will start that operator down the road to becoming more experienced. Eventually, he’ll be your expert.