It’s almost 2025. We’ve known for quite some time what needs to be done in terms of information security. Most best practices and standards have been around for decades…
Still, it seems that many businesses are getting hit as hard as ever with security incidents and breaches. How can you move past this current state of risk? How can you start making strides in your information security program to get it to the next level and, eventually where it needs to be?
Well, security improvement can begin now. All it takes is you sitting down and thinking things through, ideally with your team. And, it’s actually quite simple. A proven formula that, when properly followed, can get you out of your security rut starting today. There’s no magic trickery but instead, it’s a simple exercise called zero-based thinking. Zero-based thinking is a concept – really a tool – that’s been around for ages and used extensively in the business world to turn around failing companies. You can use it to work wonders in security as well.
With zero-based thinking, you go “back to the future” by projecting forward to your ideal situation and then coming back to today and determining what must be done to make things happen. You’re effectively asking: knowing what we now know, would we still be doing the same things? If not, how would it be different? It’s putting the adage hindsight is 20/20 to work for your security program.
You could literally sit down and step through this yourself. Ideally, you will want to have the right people on board. Trying to turn around your security program on your own with no other help will likely prove futile so it’s good to have the key players in the business on your side. This will definitely be people in IT and security but also people in finance, HR, legal and operations. Having an executive management sponsor won’t hurt either. It’s the people in your organization that you know can help effect change in and around information security. Once you’ve assembled the proper team and support, you simply get together and ask yourselves the following questions to put zero-based thinking into action:
Your ultimate goal is to determine what it is that you would get into or out of to make things better with security. In other words, what should you start doing and what should you STOP doing. You and your team will know the answers to these questions. It may take some time, some debating, and even some heated arguments. But eventually you and your team will have the answers. Once you have clarity over what needs to be improved, then go about setting specific goals and holding yourselves accountable. This is the only way to get things done over the long haul without falling back into your old ways and being subject to that next big security event that you could’ve otherwise avoided.
There’s always room for improvement in security. Spend some time on zero-based thinking. Approach your program as if you have a clean slate – as defined by the Latin term tabula rasa – to start from. What can you do – what will you do – moving forward? The answers are there and it’s up to you and your team combined with some willingness and discipline to help move along what needs to be done.