Having worked in and around information security for more than 20 years, I think I’m in a good position to make observations about the industry.
My work brings me in touch with all walks of security, from governments through large multinationals and SMEs. I’m also heavily involved with many boards and committees with security mandates, which gives me a unique insight cross-industry and cross-discipline.
Within organisations, I think there are really two distinct categories of individuals practicing security. There are the sheep—lazy and content to follow the pack less they be caught deviating from the norm—and then there are those willing to innovate (without necessarily creating additional risk).
There are many examples of these two groups we’d all be able to think of, so I won’t rehash. People are often encouraged through organisational culture, to sit back and follow, while others in more positive organisation cultures are willing to speak out when they see an opportunity for improvement.
What I see today is that far too many medium-to-large organisations understand the need for security, but do not equate the risk of information loss or a privacy breach to the function of their security program.
These organisations effectively pay security lip service by going through the motions for minimal cost, simply hoping that the inevitable breach is either minor and can be hidden from the public, or that it can be blamed on a third-party, or that it stays undetected in the first place (oh to be blissfully ignorant).
Aligning the value of the information you’re protecting with the security measures implemented to protect it is fundamental to moving beyond mere lip service. Your information can be worth far more (or of course, far less) than its security protection.
I see many organisations investing just enough to draft and deploy information security management procedures, without actually going that crucial step further. Their procedures inevitably do specify a need for periodic internal (and sometimes external) security audit and penetration testing, and most organisations will undertake these.
Unfortunately, audits and tests are likely to reveal non-compliance and holes requiring further effort, and while some organisations do the testing and work to address the issues—steadily improving their security posture—there are still many organisations that simply complete the audit and file away the reports as a tick-the-box exercise each period.
The motion has been undertaken but the intent and purpose has not been recognised, let alone honoured. Inevitably instead of using the learnings discovered via auditing and testing to grow the maturity of their security system, they merely tick boxes.
Proactive organisations take their security systems, policies and procedures seriously. They treat them as ever-changing, organic beasts. They implement a solid ISMS, dedicate themselves to security improvement, and learn from others in their industry. Individuals in these organisations are encouraged to think outside the box and to trial new ideas and concepts in safe environments.
I think a key indicator that points to an organisation practicing this kind of security is the level of their employee (and in some cases third party, client and customer) security awareness activity. These organisations try to educate each and every one of their resources basic personal information security and privacy concepts, as well as specific security policies. These are the true leaders, committed to ensuring they have a firm base of security awareness across their people.
What do you see?