Are you feeling insecure lately? No, not about yourself – but about your organization’s competitive position in the marketplace? What about its ability to meet client and business partner obligations? Or, it’s ability to stay out of the court system and on the good side of your industry’s regulators? Well, if your organization is like most, it’s got problems – big problems – when it comes to protecting one of its most valuable assets: electronic information. Arguably, electronic information is second in value just behind your organization’s employee capital.
There are a lot of security tips out there that you can follow: firewall this, encrypt that, strong passwords for all, and security policies that leave no byte unturned. These are all security “best practices” that we hear about and have forced upon us by checklist auditors, lawyers, regulators, and (perhaps worst of all) vendors generating hype in the name of a dollar. An alarming number of organizations buy into this free advice and blindly operate their businesses believing that if they throw enough money into some technology and document key security policies, they’re safe. Everyone else is doing it, after all. Yeah, right! This one-size-fits-all mentality is way off and bad for business.
Don’t jump on the bandwagon and start implementing security measures just to please others or because someone said it was the right thing to do. Not that the advice you receive will be completely off base, but you do need to have a few key elements in place before you can effect change and secure your information systems from the elements:
Key leaders and decision makers who understand the importance of security, privacy, and IT governance – not just a best practice or regulatory requirement that the company needs to dodge, can get to later, or ignore altogether. In other words, people with the bravado to see security and privacy as legitimate business issues and make things happen.
Management who is willing to incorporate more money into the budget to manage information risks, not just throw money at short-term fixes.
An IT governance committee made up of several people from various areas of the organization that calls the shots – i.e. creates and enforces security policies – not just the IT administrator doing his/her own thing.
An information classification system that clearly outlines what electronic assets are present on your network, which information needs what type of protection, how you’re actually protecting it, and how it needs to be retained for legal and regulatory purposes.
Security standards that every administrator, manager, developer, and team works by to ensure that all critical systems are consistently secured throughout the organization.
A security incident response plan that’s well-documented and tested. Malware infections and malicious attacks are inevitable and your organization needs to be able to respond in a mature and responsible way.
Users who are reasonably aware of security and privacy issues combined with IT/security administrators and management who don’t depend on them for the security and privacy of the organization’s information.
Wise technology purchases that help automate security tasks and enforce specific business policies you’ve already put in place.
Well-known IT/security standards and frameworks such as ISO/IEC 17799:2005, COBIT, and ITIL are nice for starters but don’t put them in place for show, to look good on paper, or simply “fit in”. It may sound clichй, but I see it all the time. This kind of reliance on implementing best practices for pleasing someone else and documentation for the sake of documentation is a great way to set your IT governance program (and potentially your entire organization) up for failure long term.
Don’t fall into the myrmidon mindset. Think for yourself. Look at your own requirements and your own needs in the context of which you’re doing business. Show reasonable effort to minimize security and privacy risks relevant to your organization and document why you’re not falling in line with the masses for everything else. You can save money, time, and a whole lot of effort and still please the regulators and auditors that ask questions down the road.