“We need to spend a lot less of our time focusing on getting the next tool, and doing a much better job implementing the last tool,” said Robb Reck (@robbreck), CISO for Pulte Financial Services, in our conversation at the 2015 Black Hat Conference in Las Vegas. “We can get a whole lot more on less resources, and I think in the end we get a whole lot more secure organization.”
Reck went on to suggest that security professionals should focus on the last tool that’s not fully implemented or the one whose full potential hasn’t yet been realized.
In addition, don’t try to do too much at once, advised Reck. Manage just one or two things at a time. No matter what the resources you have, there’s only so much mindshare you can get out of people. Just prioritize and get those things finished to completion. Don’t take people off a project that’s only half done.
“It’s not so much about do you have the resources in your security team, but rather does your organization have the ability to change as quickly as you want to change,” said Reck. “Make sure your company can swallow everything you’ve got in its mouth currently before you give it more to chew … As a security leader, you have to build trust over time and part of that is having that vision, communicating that vision, and implementing that vision as you go.”