Where should security effort be focused these days?
Friday, January 27th 2012 @ 7:01 AM (not yet rated)
Yesterday, I was on a panel at the Information Systems Security Association’s Ottawa Chapter meeting. We had a great discussion on the security challenges of 2012. Clearly, there is a lot of concern among security professionals around the threats and vulnerabilities related to mobile devices and about outsourced data and services that are said to be in “the Cloud”. The other members of the panel included Greg Young (Gartner) and Chris Ellis (McAfee). They had some great insights on what organizations are doing, and should be doing, about these issues.
I think the result of the discussion was a signal to businesses (including government organizations) that we need a mix of returning to fundamentals of security and increasing efficiency overall. We highlighted the need to step back and identify gaps, and to focus on establishing and communicating effective policies that are clear and easy to follow.
We also need to do “more with less”, or try to work smarter to see where some of the wasted effort can be cut back (including my cherished security awareness posters). On that note, we did have some discussion around security awareness education and training. The entire panel, especially Chris and I, endorsed awareness training because it covers a broad range of risks to which all staff can become more sensitive - with real life examples of how this has been successful. Greg felt that Posters were seen as being something that can tend to become invisible, or fading into the background, as “wall ornaments” that nobody pays attention to. This is why I prefer that, if you do use posters, you simply need to move them around to unexpected locations, or change them on a frequent basis. People will notice.
The topic of communicating with executives is one that I think is extremely important. How do you describe security risks and justify security spending to executives. Some felt that it should be worked into the "plumbing" of everyday operational business processes, so that it doesn't "look like" security to the executives. While I believe this is a great objective, I have a concern that this it is likely to take a long time to change the organization in this direction. In the meantime, we shouldn't shy away from trying to communicate the importance of IT security risks to executives and senior management as soon as possible, but in terms that they can understand - focusing on the business consequences of the biggest risks, should they materialize.
There was also a strong theme of collaboration in this discussion. We each have varying degrees of experience with different security and business issues (like justifying security spending to executives), and the sooner we are able to share our experiences and lessons learned, the better we can secure our business environments.
The ISSA Ottawa Chapter is a smart, fun and vocal group of professionals. I was proud to be on this panel. Our next meeting is a big one on February 15, 2012, and focuses on Women in Security. The event features a high profile speaker, Marene Allison, VP & CISO of Johnson and Johnson, as well as Carol Osler, VP at TD Bank.
| | I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
