Please check this interesting article about "Techies don't get security either".

The message of this article is compelling: pure security techies cannot progress beyond a point in their career hence folks who manage security in a company are most likely to have business background.

When I started acquiring business degree (MBA), it was more a "herd" mentality - hats off to tremendous _marketing_ from business schools. The business school marketing message is clear - get an MBA degree be a manager, director, entrepreneur, venture capitalist and so on..

In a company to manage risks it requires "business sense" which many security techies may not have - "business sense" involves communication skills, project management skills and political skills. Irrespective of my poor justification of entering an MBA program, on hindsight it turned out to be a good decision the program has given me some "business common sense".

I think security techies (or any techies) for that matter, acquiring "business sense" is a must to grow. Acquiring business degree is not the _only_ way to get business sense (which I was originally made to believe) - there are lot of good books - check out http://www.mypersonalmba.com

"I'd sit there and first I'd look through the comments, pick through the security holes, and then I'd see what the developer did to fix it because they'd always leave it well commented - thank you very much - and then I'd work back and figure out how I could write exploit code to exploit their vulnerabilities."

- Kevin Mitnick

Implement sound personnel practice - Benefit is company has a better chance of minimizing internal threats.

It is well known fact that majority of threats are internal. Company employees often knowingly or unknowingly leak proprietary information. Imagine for a moment - confidential data in the hands of a disgruntled employee, the ramifications are tremendous.

Sound personnel practice involve many things:

Job description - This is the first step in the hiring process. Make sure to classify the security level of the job i.e. whether the job warrants exposure to critical data.

Background checks - Make sure you hire good people by running background checks on them. Moreover, hire people who have appropriate security clearance with respect to job classification.

Roles and responsibilities - As soon as employees are on board, define roles and responsibilities clearly. Determine their data access profile based on roles and responsibilities. Don't grant them access to more data than what is necessary to get the work done.

Cross training and job rotation - Cross train employees so that there is no single point of reliance. By rotating jobs you can prevent collusion, information hiding and cheating.

Following sound personnel practice does not imply that we distrust employees, it rather implies that we are selective about whom we trust and that we believe in processes that can help expose the violation of trust.

Thought #9: Why is mandatory vacation for employees is a good idea?