Security Awareness

Are you too focused on the technical aspects of cyber security?

By |April 23rd, 2015|Categories: Security Awareness|Tags: , , , , |Comments Off on Are you too focused on the technical aspects of cyber security?

When someone mentions information security, invariably thoughts go to technical aspects such as firewalls, routers, wireless access points and how to set those devices up—or to physical aspects such as locks, security guards and fences. These are the technical and physical controls that usually comprise our understanding of how to achieve the best level of security possible. But controls for information security fall into three main categories: the physical and technical—which we’ve already described—and the administrative, which often receives short shrift. Why?

My guess is that administrative controls are considered “soft,” focusing on management and training, and it’s pretty enticing to think that technical controls and physical controls will suffice for cyber security defense. Not a good idea, says Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products in a recent issue of Computer World.

“…businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error…invest in your people and process.”

In the broader world of business, success depends on the correct balance of the three main pillars: people, process, and technology. Within information security, are we creating a three-legged stool with one leg (technology) longer than the others? That can’t be good. Technology is an important piece of your arsenal, but insufficient by itself. Having sound policies, defining clear role-based processes and procedures, and providing communications and training for key stakeholders (which may include every employee) will create balance for the three-legged stool of information security. Policies and processes might sound like management overhead, but any organization desiring to provide consistent goods and services must have consistently applied policies and processes—i.e., CMMI, but that’s a topic for another
[ Read More ]

Is Your Head in the Cyber Security Sand?

By |April 9th, 2015|Categories: security|Tags: , , , , , , |Comments Off on Is Your Head in the Cyber Security Sand?

“We started as a relatively small company. Through success and internal growth along with some acquisitions, we are now a medium- sized company using the same policies and processes as when we first started.”

Does this sound familiar?

If so, take solace in knowing that you are not alone, but things have to change. For many companies, growth has outpaced their policies and processes, which can be a risky situation, especially in cyber security.

In information security, due care means “acting responsibly and doing the right things.” While information security is a very complex field, there are certain basic building blocks that must be in place for every company.

Ask yourself:

Do you know your company’s most important assets, where they are located, and how they are protected?
Do your employees understand their role in information security?
Do you understand the major vulnerabilities within your company?
Do you know the major threats and threat agents to your company / industry?
Do you know how your company would respond in the event of a cyber attack?
When the topic of cyber security comes up, most people think about firewalls, intrusion protection/detection systems, and other technical solutions. While these are inevitably part of the solution space, if you are hesitant or unsure of the answers to any of the questions listed above, you could be negligent in providing “due care” for your company.

You probably understand the things that need to be done to make your company secure from an information perspective. Nevertheless, not taking action—even by doing something as small as raising the issue with your leadership—can be construed as not “acting responsibly.” Knowing what to do and actually doing it are two completely different things. There will always be the “hot,” critical project that needs
[ Read More ]