If it hurts, stop doing it
Little kids usually touch a hot stove only once. The single biggest problem in computer security is that most companies aren't very good at figuring out how they are hurting. It's as if they're constantly touching a hot oven and wondering why they keep getting burned.
For example, most companies are very bad at patching, though better patching is the single step they could take to decrease risk most. The majority of companies know patching is a challenging problem, but don't understand, percentage-wise, how often unpatched software is responsible for exploits entering their environment. They don't fix it well enough -- then wonder why they keep getting burned.
Break the cycle. Investigate and find out your company's top three problems. Then form task forces and work to remediate the major issues. Everything else should take a backseat. Stop touching the stove.
Routines are good
Going to sleep at the same time every night contributes to a better night's rest and a more productive day. Routines are good for security, too; hackers love targets that lack them. They are irresistibly attracted to companies that are inconsistent in their application of computer security defenses. In most companies, even computers performing the same role are configured and protected differently. They drift away from a common standard over time for a variety of reasons.
Want to sleep better at night? Enforce consistency. Make sure computers performing the same roles have (as much as possible) the same configurations, same patches, and same computer security defenses.
Every company where I perform security audits ends up with dozens and dozens of findings and recommendations. I know the companies that enjoy more consistency will have a better chance of implementing my recommendations. The inconsistent ones have to become consistent before they can implement fixes effectively.
Good communication is the key to healthy relationships
Part of why companies do such a bad job at computer security is the lack of good communications. For example, if someone actually knows the most common way a company is exploited, do they share it with the crew? It seems silly, but I'm constantly amazed at how often almost nobody in the company understands the top problems or the extent of the damage.
I often interview computer security staff, executives, and regular employees, asking: "What is the No. 1 way hackers break into your company?" Rarely do I hear the right answer. When I do, I wonder why this one person knows it and no one else does. If so few know the right problems, how can the company make a concerted effort to solve them?
Identify the top problems in your company and share them with everyone. Don't assume everyone knows what you do and is working on solving the biggest problems first. Usually, they don't and they aren't.
Apologize if you hurt others
If your company is responsible for protecting other people's important digital information, and that information is compromised, apologize right away, even if you're not legally required to do so. Don't delay the notification or, worse, try to keep the intrusion under wraps. Secrets never remain secret, and waiting too long can only cause more anger (and potential lawsuits). Being quick to apologize, staying honest, and promising to try your best never to do it again goes a long way toward regaining lost trust.
There are lots of other recommendations I can make using the kindergarten analogy. But I want to hear the creative ones you can come up with. Anyone want to raise their hand?
This story, "Everything I know about computer security I learned in kindergarten," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.