1. Let’s make sure we bring context into conversations. Remember that saying “there are two types of organisations, those that have been breached and those that don’t know they have been breached” is like saying “there are two types of shops, those who have been robbed and those who don’t know they have been robbed.” Robbery can range from staff stealing pens from the stationary cupboard, to petty shoplifting, to actual armed robbery. When making statements such as these, context is important to make sure the right message is understood.

2. Let’s focus on the getting the basics right before we start worrying about any new threats or the latest cool vendor solution. Ensuring that basic security controls are in place and working as they should is not an easy task, particularly for large enterprises. Remember: without the basics controls in place, the new headline grabbing threats are not what you should be worried about as you are more likely to be breached as a result of an existing threat. Also, if you cannot get the basic controls working what makes you think you will be any more successful with the latest and greatest vendor solution?

3. Communicate proactively and clearly to senior management and the business. Whenever you see news headlines that will raise questions at senior management level, make sure to put your context on that story and highlight what you have in place to prevent it impacting on your organization. Communicating regularly with the business will also cement you - and not the media - as the trusted source for information security news.

4. Ask questions! Every time you hear a vendor, a conference speaker or read an article that makes statements without providing context or gives statistics without providing the data, ask yourself what are they trying to achieve? Don’t be afraid to challenge these sources and get clarification on how they are using data to support their arguments. Always ask why.


5. Finally, let’s work together and share information on how we can better protect our networks, systems and data. If you’ve managed to successfully implement a solution to a particular problem, share it with your peers. Post it online in a blog post or as a white paper. Consider li presenting it at a conference. It need not be a major conference - start with your local chapters of ISSA, ISACA, ISC2 or OWASP.

Our job as information security professionals is a challenging and exciting one, but let’s make sure the work we do is based on facts and logic and not on hyperbole and headlines.