One of the most common recommendations I hear in the information security industry is ‘the first thing you need to do is create an information security policy’-a set of principles or actions designed to protect information (a definition based loosely on the dictionary definition). That sounds simple enough, but the devil is in the detail.
In Part 1, I took a business perspective of the challenges involved in trying to achieve a balanced security approach and the pitfalls of poor alignment between IT and the business. From an IT perspective, the drivers may vary, but similar pitfalls exist.
With any IT project, we know that optimal solutions are only possible when they align to the needs of the business. So why is it that this alignment is so difficult for information security?
In Part 1 of this blog, I argued that relying solely on Standards as your blue-print for information security will leave you exposed, as they only offer generalised considerations, are outdated or misleading.
There are several Information Security Standards in the marketplace that are designed to assist information technology security (ITS) practitioners in protecting their organisation’s information and systems. I argue, and have done for many years, that they actually do quite the opposite. They confuse practitioners and do not work towards the (assumed) goal of improving information security. Here’s why.
We all know security is important, but simply throwing money at your information security (IS) investment is a costly and unreliable method of reducing your exposure to risk.
Do any of these lines sound familiar?
• “I just read about this serious vulnerability. Are we OK?”
• “How did this happen? You assured me we were secure.”
• “We already spend $$ on security – why do we need more?”
• “I don’t understand any of this cybersecurity stuff. Just fix it.”