Managing security is as much about managing people as it is software and hardware, say those who do it for a living.
Kirk Drake, vice president of IT at the NIH Federal Credit Union, says one of his favourite management tactics is talking every day with the IT staff in charge of network and applications.
"I figure out the things that absolutely shouldn't go wrong, from routers to financial things such as dividend postings and check files, and accept no compromise," Drake says. "I send out periodic reminders and check to make sure that things get done."
This approach is intended to get ahead of problems through regular contact with the dozen IT staff members that support the back-end applications and the online banking used by the 45,000 credit-union customers.
"I look at log reports and ask questions," Drake says, noting constant dialogue with staff has been crucial in deploying newer technologies, such as data-leakage prevention to stop unauthorized transmission of sensitive customer information.
Jack Mackenzie, principal information security engineer at mortgage insurance company Radian Group, says the tip he'd offer first also has to do with helping people be more effective in their jobs. Radian Group has five security specialists interacting with an IT staff of 140.
In the past, IT staff would tend to describe problems they'd encountered, depositing them at his doorstep, waiting for him to discover something that might resolve them. But that method wasn't the way to quick, successful resolution, he says.
Mackenzie now lives by the adage that "I never take others' problems and make them my own. I'll steer them toward solving it." He says he helps staff with analysis, answers questions and suggests security approaches, but makes it clear he expects those directly in charge will execute any necessary changes. And he checks to see that it happens.
He says this approach encourages IT staff to confront security concerns more directly, and "problem-solve and bring the solution back".