Prioritize quick decisions
Most companies are stunted by analysis paralysis. A lack of consistency, accountability, and ownership renders everyone afraid to make a change. And the ability to move quickly is essential when it comes to IT security.
The most secure companies establish a strong balance between control and the ability to make quick decisions, which they promote as part of the culture. I've even seen specialized, hand-selected project managers put on long-running projects simply to polish off the project. These special PMs were given moderate budgetary controls, the ability to document changes after the fact, and leeway to make mistakes along the way.
That last part is key when it comes to moving quickly. In security, I'm a huge fan of the "make a decision, any decision, we'll apologize later if we need to" approach.
Contrast that with your typical company, where most problems are deliberated to death, leaving them unresolved when the security consultants who recommended a fix are called in to come back next year.
Camaraderie can't be overlooked. You'd be surprised by how many companies think that doing things right means a lack of freedom -- and fun. For them, hatred from co-workers must be a sign that a security pro is doing good work. Nothing could be further from the truth. When you have an efficient security shop, you don't get saddled with the stresses of constantly having to rebuild computers and servers. You don't get stressed wondering when the next successful computer hack comes. You don't worry as much because you know you have the situation under control.
I'm not saying that working at the most secure companies is a breeze. But in general, they seem to be having more fun and liking each other more than at other companies.
Get to it
The above common traits of highly secure companies may seem commonsense, even long-standing in some places, like fast patching and secure configurations. But don't be complacent about your knowledge of sound security practices. The difference between companies that are successful at securing the corporate crown jewels and those that suffer breaches is the result of two main traits: concentrating on the right elements, and instilling a pervasive culture of doing the right things, not talking about them. The secret sauce is all here in this article. It's now up to you to roll up your sleeves and execute.
Good luck and fight the good fight!
Sign up for CIO Asia eNewsletters.