Today’s security threats are real, and business risks are tangible. Yet, many organisations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you do not need to spend, and end up woefully unprepared for events when they occur.
By and large, many IT people manage IT with a false sense of security, a heightened sense of their own capabilities. They are getting stuff done. They are spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it is not.
Some Common Fallacies That May Be Holding You Back
- Looking from a higher level at what is taking place in the average enterprise, security is all over the place. Some people swear by their security awareness and training initiatives, yet their users’ behaviour remains wildly unpredictable. Many such efforts are beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.
- The same goes for policies. Even the best security policies and procedures are useless if the organisation’s practices do not reflect them. Policies on their own cannot prevent a data breach. We all need to ask, “Does the behaviour reflect the policies?” If not, there is a problem that needs to be addressed, either with policies or behaviour, often both.
- Still, the same can be said for technology. I would estimate that half of the security products and services I come across are woefully under-implemented, some to the extent that you cannot help but wonder why the money was even spent in the first place.
- Some IT and security professionals believe they have completely locked down their network but there are always gaps. Some organisations focus too much on compliance and too little on security, while others are too trusting of their vendors.
As economist Thomas Sowell once said, “It takes considerable knowledge just to realise the extent of your own ignorance.” The mark of a true professional is someone who realises that he or she does not know everything and cannot secure his or her network against all the threats that are out there. Once you acknowledge this, you are well on your way to achieving a reasonable state of security.
Is Your Security Program Going Nowhere Fast?
Today’s security threats are real, and business risks are tangible. Yet, many organisations manage their security program in a way that does little to address these challenges over the long term. The last thing you need is to take the wrong approach to security, spend money you do not need to spend, and end up woefully unprepared for events when they occur.
By and large, many IT people manage IT with a false sense of security, a heightened sense of their own capabilities. They are getting stuff done. They are spending money, going through the motions and things are happening. Management sees this and assumes that all is well, but it is not.
Some Common Fallacies That May Be Holding You Back
- Looking from a higher level at what is taking place in the average enterprise, security is all over the place. Some people swear by their security awareness and training initiatives, yet their users’ behaviour remains wildly unpredictable. Many such efforts are beneficial, but when they fail to measure users’ progress, they squander opportunities for improvement.
- The same goes for policies. Even the best security policies and procedures are useless if the organisation’s practices do not reflect them. Policies on their own cannot prevent a data breach. We all need to ask, “Does the behaviour reflect the policies?” If not, there is a problem that needs to be addressed, either with policies or behaviour, often both.
- Still, the same can be said for technology. I would estimate that half of the security products and services I come across are woefully under implemented, some to the extent that you cannot help but wonder why the money was even spent in the first place.
- Some IT and security professionals believe they have completely locked down their network but there are always gaps. Some organisations focus too much on compliance and too little on security, while others are too trusting of their vendors.
As economist Thomas Sowell once said, “It takes considerable knowledge just to realise the extent of your own ignorance.” The mark of a true professional is someone who realises that he or she does not know everything and cannot secure his or her network against all the threats that are out there. Once you acknowledge this, you are well on your way to achieving a reasonable state of security.