• Using zero-based thinking to improve your security program

    16 Dec 2024

    It’s almost 2025. We’ve known for quite some time what needs to be done in terms of information security. Most best practices and standards have been around for decades

    Still, it seems that many businesses are getting hit as hard as ever with security incidents and breaches.  How can you move past this current state of risk? How can you start making strides in your information security program to get it to the next level and, eventually where it needs to be?

    Well, security improvement can begin now. All it takes is you sitting down and thinking things through, ideally with your team. And, it’s actually quite simple. A proven formula that, when properly followed, can get you out of your security rut starting today. There’s no magic trickery but instead, it’s a simple exercise called zero-based thinking. Zero-based thinking is a concept – really a tool – that’s been around for ages and used extensively in the business world to turn around failing companies. You can use it to work wonders in security as well.

    With zero-based thinking, you go “back to the future” by projecting forward to your ideal situation and then coming back to today and determining what must be done to make things happen. You’re effectively asking: knowing what we now know, would we still be doing the same things? If not, how would it be different? It’s putting the adage hindsight is 20/20 to work for your security program.

    You could literally sit down and step through this yourself. Ideally, you will want to have the right people on board. Trying to turn around your security program on your own with no other help will likely prove futile so it’s good to have the key players in the business on your side. This will definitely be people in IT and security but also people in finance, HR, legal and operations. Having an executive management sponsor won’t hurt either. It’s the people in your organization that you know can help effect change in and around information security. Once you’ve assembled the proper team and support, you simply get together and ask yourselves the following questions to put zero-based thinking into action:

    1. If our security program was absolutely perfect in every way, it’d have these things…
      With this, you simply list out how a well-oiled security program would look, run, and feel. It’ll likely involve areas such as better insight and visibility, more streamlined technologies, users that “get it”, leadership that’s on board on so on. Whatever your needs call for, write down the ideal situation. This is your long-term view of where you need to head. Some, possibly much, of these ideas might come out of your latest information risk assessment or security audit.
    2. Knowing what we now know, what would we have more of? Less of? 
      This should be pretty easy. Anyone involved in any aspect of security will have their own view of how things are either an enabler or a hindrance to your overall security efforts. Take these things to heart and do something about them. This is the meat of your concerns and your roadmap to improvements.

    Your ultimate goal is to determine what it is that you would get into or out of to make things better with security. In other words, what should you start doing and what should you STOP doing. You and your team will know the answers to these questions. It may take some time, some debating, and even some heated arguments. But eventually you and your team will have the answers. Once you have clarity over what needs to be improved, then go about setting specific goals and holding yourselves accountable. This is the only way to get things done over the long haul without falling back into your old ways and being subject to that next big security event that you could’ve otherwise avoided.

    There’s always room for improvement in security. Spend some time on zero-based thinking. Approach your program as if you have a clean slate – as defined by the Latin term tabula rasa – to start from. What can you do – what will you do – moving forward? The answers are there and it’s up to you and your team combined with some willingness and discipline to help move along what needs to be done.