Security is one of the key areas that companies are looking to improve. Ask any senior IT manager and it ranks as one of the top initiatives. Ask almost any business executive and it is also a high ranking topic.
I have been on several calls with our resident security analyst and he almost always points out that security is not a destination…it is a process. On one recent call, he suggested to the customer that the initial step should be gaining visibility into the current state of security readiness or posture. The initial suggestion was for a Risk Assessment. The purpose of the Enterprise Risk Assessment is to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, mission, functions, and reputation, resulting from the operation and use of information systems.
- Gaining visibility is the key starting point to building a security culture and improving your security posture.
- Visibility –
This give you a clear picture of the threats and the specifics that help frame the issue or task.
- Collecting intelligence to monitor and track
Logging from critical applications, systems and services provides a key element to enhancing your security posture. It can provide key information and potential indicators in the event of a compromise.
- Security Education and Awareness for staff
The biggest risk vector at most companies is non-IT staff. Users are spending time browsing the internet and sending/receiving email, phishing, spear phishing, malicious websites or sites that attempt to install malware on visitors.
- Develop a Security Plan
Work on your security plans and policies and make sure to include non-IT personnel. It is ultra-important to get the support of executive staff to ensure the changes are adopted and level of security importance is know and emphasized.
These are a few of the items that help get build a security culture in your organization. At the end of the day, most firms need to assess their IT infrastructure, security policies – (social media, smartphones, remote access, travel, etc.) and work on building awareness at the importance of security in business (government, education).
Big topic and one that our engineering staff has a lot of opinions on and likes to share anecdotes/stories and experiences.