Why your IT Christmas list should leave room for security awareness and education
Thursday, October 22nd 2009 @ 7:30 AM (not yet rated)
Christmas is just around the corner. What's on your IT Security department's wish list this year? Are you expecting breakthrough solutions in detecting and responding to attacks by hackers and phishers? ...or maybe improved tools for preventing and responding to malware and viruses? If so, then you should also ask Santa for a few good books, too - maybe something with titles like:
"Staying on the Right End of the Phishing Rod" by Q.T. Hooker
"Don't Stick That in Your Computer" by Will U. Regretit
"Think Before You Click" by Rob D. Agin
But seriously, while security technology continues to improve, it's just not keeping up with the threats. This article in SC Magazine explains that, despite everyone's best efforts, the gap is widening, and the top risks in IT are far from being adequately addressed with today's technology safeguards.
Sadly, the referenced report by SANS - one of the most respected authorities on the state of IT Security - is focusing on "Critical Controls" (technical controls, specifically) that make virtually no mention of awareness or education as a requirement, even in the short term. This makes no sense to me. If the trend shows that we are getting further from having reliable technology solutions, to counter today's threats, wouldn't it make sense to give a passing mention to the most reliable, compensating - and most cost effective - measures that can be implemented right now?
Am I just being a little too much of a Scrooge when I predict that this Christmas won't be a good one for IT Security? Sure, having technical safeguards IS critical, as SANS explains. You should be looking at them, and putting them in place when they can really help. But is it worth investing your whole budget on an 80% security solution if you have no strategy for dealing with the other 20% of the risks? You can't assume that your IT Security department will magically have the time and resources to fill the education gap left by whatever technology is put in place.
In short, make sure your team knows the fundamentals for dealing with everyday threats they face when making risk decisions while handling your business's sensitive information. They do use the Internet, don't they? That means the threats are there.
Training and discussion about new and dangerous risks in their job environment can help hold the fort until the re-inforcements arrive in the form of better Web application, anti-malware and endpoint security solutions. They are coming, aren't they? ... So's Christmas.
Psst... Here's a hint. Coincidentally, I do offer keynotes, training and workshops within "The Streetwise Security Awareness Program". Click HERE for more info, or HERE to request a quote.
| Share | My live security awareness webinars are a quick and affordable way to provide your entire staff with professional quality security awareness training and education - whether it's general training or for specific teams or industries. I offer group rates and can tailor content to your specific needs. Please call or email me at the coordinates below, or CLICK HERE to see my training webinar catalog.
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
