Have you ever wondered what security means to you as an IT admin? Or have you ever wondered what it meant to others, for example end-users or management?

If you would visualize these mindsets, it would look a bit like the images below.

From an IT admin perspective we tend to think using technology as a basis:

Geen alternatieve tekst opgegeven voor deze afbeelding

However if we look at the minds of end-users we tend to see something really different. Instead of thinking about technology they will think about it will affect getting their daily work done. A representation of their thinking might look similar the the one below.

Geen alternatieve tekst opgegeven voor deze afbeelding

And then there is also management or the business. They also have their own view on security. Most of the time, they will think of security as represented in the following image.

Geen alternatieve tekst opgegeven voor deze afbeelding

Now as can be seen, we have several views and meanings if you use the word security withing a specific target group. Each of these groups has their own interest and mindset when talking about security.

Here is where the “men or women get separated from the boys and girls”. Here is where the good security managers stand out and really make a difference. The real super power of security managers isn’t understanding how security works. It is understanding all of these viewpoints and finding ways to align these viewpoints and make everyone understand the value of a good security practice. But to also do this security managers will also need a deep understanding of the business and its processes. Once a security manager has acquired all of these insights, he or she can start beginning to align all viewpoints. So basically, this is where they will shine. They will shine in aligning all expectations and all viewpoints to make a safer environment for people to work with.

In addition I would also like to hand-out some tips for staring security managers to get them going as well.

  1. The first tip is learning. Never stop learning. Don’t stop learning on new technologies out there, but also don’t stop learning about your end-users, business development and for example legal requirements.
  2. Security should be a business function. It should be woven into the daily work routine. So that people can say things like: “Working secure? It’s nothing special. It’s just the way we do things around here”.
  3. Security should not only be an operational concern. It should be addressed on a strategic level as well. If there is no leverage from higher management, security will tend to fail for the operational level as well.
  4. Security should be effective & simple. If security isn’t effective or simple, people will try to find work around or they tend to not use it at all.