Ask the Expert

What are the top five concepts or lessons on security management?

If you could make business/executive management more aware about five concepts or lessons on security, what would they be?

    Requires Free Membership to View

Getting it down to 5 is really hard, but here goes:
  1. Security is a journey, not a destination: Executives need to understand that security is never done. If a new user or application or trading partner has been introduced to the organization, then new risks have been introduced as well. Security is not a box that can be checked. That is probably the most important concept to convey.

  2. Nobody can protect what's important, unless it's been made clear exactly what is important. Security is not generic. It's important not to treat every system and asset the same. Some stuff is important and should be protected at all costs. Some stuff isn't, and therefore resources shouldn't be expended to protect it. The executive managers have to decide what's important, and they need to tell the security team. Help them understand the choices they need to make.

  3. Compliance is not the goal of information security. This is related to No. 1, but important in its own right because many executives believe that once they get the compliance stamp from an annual audit, they don't need to think about security anymore. Being compliant does not mean the organization is secure. That's extremely important to get across.

  4. The users are the weakest links. The reality is that many serious data breaches are caused by human error and are not intentional. That means it's still important to train users on a continual basis about what they can and can't do.

  5. Incidents are going to happen. There is no way around it: EVERY organization will eventually be faced with an information security incident. Many executives freak out when incidents occur, and that's because the security team has done a poor job of managing expectations. The important part is how well the organization recovers. How much data was lost? What are the ramifications? Help the executives understand the need for a formal response plan, because having one in place when the inevitable happens will make it much easier to deal with.

More information:

This was first published in June 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: