During Cybersecurity Awareness Month, thousands of cyber experts from across the globe convened in Las Vegas for the ISC2 Security Congress 2024 to discuss the industry challenges and best practices — including strategies for reducing business risks and minimizing uncertainty in their operations.

Ralph Villanueva was one of those cyber professionals who offered advice to audiences. An IT security and compliance analyst at Hilton Grand Vacations, he riffed on the popular business self-help book “7 Habits of Highly Effective People” for his presentation, distilling best practices into seven habits and detailing how they fit into day-to-day work.

The 7 habits of effective IT security and compliance professionals

The habits Villanueva highlighted include:

1. Understanding your enterprise’s business mission, vision, and objectives. Instead of focusing on your role, get everyone on board with one mission.
2. Continuously studying the internal and external IT environment and risks of your enterprise.
3. Knowing the key players in your enterprise. Some employees may dismiss this as “playing politics,” Villanueva said, but it’s important to know who to go to for budget needs or other requests.
4. Understanding your strengths and weaknesses, recognizing when to ask for help.
5. Learning to communicate the technical requirements of compliance. Help coworkers and stakeholders from other parts of the business understand why those requirements are important.
6. Accepting the reality of your job, which means expecting and having plans for pushback. “Some people will unfairly look at the security policies and the data provenance policies we put in place and say it’s an unnecessary burden. Ironically, that includes some of the key officers of the company,” Vlillanueva said.
7. Adopting a proactive, positive attitude — and remembering that you can make a difference in your organization. “It [a positive attitude] will not get the work done, but it will help you be a better IT security audit and compliance professional,” Villanueva added.

What roadblocks stand in the way for security and compliance professionals?

These recommendations can help security and compliance professionals overcome common roadblocks, Villanueva said. Obstacles can include the “silo” nature of business, in which other departments see security as “IT’s problem.”

As Villanueva explained, the sales department may aim to reduce what they perceive as friction in certain processes. Meanwhile, IT may think some friction helps keep those processes safe. Similarly, employees both inside and outside tech roles may fixate on functionality instead of looking at the big picture.

“Some companies have a piecemeal approach to updating their servers, their endpoints, their databases,” Villanueva said.

SEE: At ISC2 Security Congress, SentinelOne CISO Alex Stamos named sophisticated threat actors as the most pressing concern for cybersecurity professionals today.

Additionally, board members and executives may not prioritize cybersecurity.

Relying too much on technology can also be detrimental to a business. Security and compliance professionals must realize over-reliance on technology itself might be damaging, as Villanueva highlighted cases, such as the CrowdStrike outage in July and lawyers being penalized for using ChatGPT, as relevant examples of overreliance on technology.

How to apply the 7 habits in your business

Villanueva emphasized that instead of focusing on day-to-day challenges, security and compliance professionals should consider the big picture. He reminded attendees of the importance of the old business staple: the “three-legged stool” of people, process, and technology.

Villanueva suggested one solution to the problem of groups being siloed at work is to have meetings more often. “For some meetings are a waste of time, but meetings are really important to getting everyone on board,” he said.

He recommended getting as much board involvement as possible. One day, Villanueva predicted, public companies may be mandated to have an AI expert on the board. The SEC considered mandating a cybersecurity expert sit on boards of directors of public companies as of 2022. However, it retracted the proposal by 2023.

Finally, Villanueva reminded security and compliance professionals to monitor third-party risk. In one gaming establishment, he said, threat actors walked away with a pot of personally identifiable information — because they were able to break in through a third-party vendor managing a fish tank.

Disclaimer: ISC2 paid for my airfare, accommodations, and some meals for the ISC2 Security Congress event held Oct. 13 – 16 in Las Vegas.