When I was first asked if I wanted to do security as my main job, I was warned that it would be highly policy based and governance focused; very different to my hands on technical background. I was also told that it would be a great challenge. Having done this for a (little) while now, I can firmly say that those initial warnings were a huge understatement.
Further to this, I noted at pretty much every security seminar or conference that I go to that the recurring theme was that people were the biggest risk. Or more precisely, people are the biggest challenge.
All of this has started to sink into place. You can have the best technology in the world but if the people who use it want to circumvent technical security controls then they will find a way, whether it be to steal data, or just out of pure laziness. Does any of the below ring any bells?
"We've always done it this way...", "...we're not a bank...", "...it's the only password I can remember...", "...we're too busy..." "... we've never had a breach before...", "...yada, yada, yada...".
Setting policy to match the risk profile and appetite of a business is one thing. Overcoming cultural and organisational change in order to implement policy is something else altogether. It requires complete buy in and sponsorship from the top. Even with this advantage, it takes phenomenal time, effort, patience, and resilience. Amongst the success and progress there are many setbacks and obstacles to overcome whether they be due to competing for resources with commercial projects, or general politics, egos, and bullshit.
Apart from a good technical understanding of threats, vulnerabilities, risk, and treatment options, I would say that the most important attribute for a full time security manager is a healthy balance between resilience and patience. To paraphrase the quote: you must have the courage to change the things that you can, grace to accept the things that you can't, and wisdom to know the difference.
I would add to this "...and the resilience and patience to recognise those things that must be changed but have to wait".
Of course, if you are lucky enough to have a great mentor and an energetic and enthusiastic team, then the odds are more in your favour!
It also helps, in more ways than one, to keep that hands on time whenever possible. In developing defences it is essential to have an understanding of the attacks. This means getting involved with incident responses, finding out what malware is doing in safe environments, simulating your own MITM attacks in a variety of situations, running your own phishing campaigns against your organisation, and cracking passwords, for example.
Understanding the technical and social engineering methods in use by external attackers and insiders allows you to prioritise treatments in your mitigation strategy, and understand where your vulnerabilities are when organisations push back on recommendations due to time, budget, or politics.
The saying is that security is a journey and not a destination. This is true because of two factors: the ever evolving threat landscape, and users' defiant urge to do things their own way and ignore policy and process.
So, good luck on this journey because we are all going to need it! This isn't intended to sound as pessimistic or defeatist as it may. If you enjoy a challenge then you are in the right place! And there will always be a job to do.
I'll be posting some of the tips, tricks, and strategies that have resulted in success in this space in the future, so keep yourself posted.