- If a company doesn't have a business continuity plan when a disaster occurs and assets are devastated, the company could go out of business.
- If an organization doesn't encrypt sensitive data, it could be found guilty of non-compliance, or if the data fell into the wrong hands a company could end up in the headlines because a thief got a hold of your customer's personal identifiable information.
- If an organization does not use change controls and changes are being made in an unauthorized manner, the company essentially loses money in operational costs, and this directly affects the stability of a corporate environment.
And, barring these three items are under control, if an organization doesn't implement proper wireless security then someone can use that avenue to carry out destruction. Likewise, if proper access controls aren't in place there is a possibility for fraud, and unauthorized access to sensitive data and company assets. Additionally, if security awareness training is not provided, then your organization may be non-compliant with one or two regulations, your users will not be informed on their responsibilities and you could be opening up your organization to potential civil suits.
There are just too many things that organizations need to carry out within their security program. Most organizations are very technology-centric and do a great job on implementing and maintaining firewalls and their perimeter security, but fall short on personnel security, data classification, access control and auditing. ,
So every organization has their own top five things that they need to work on. The industry as a whole is behind on many of the softer security skills (data classification, personnel security, risk management, process management, incident response, etc.), and if one piece is missed, it can negatively affect the company in different ways.
In my experience I have found that most organizations, and even security professionals, do not fully understand ALL of the components that make up a security program. Because organizations and people are so technology-centric they do not know how to properly integrate security into business processes. While, this is getting better over time because regulations are requiring organizations to do a lot more than just implement products, this is an evolutionary process and we are going through a lot of growing pains as an industry.
For more information
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Shon Harris
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ... Continue Reading
Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ... Continue Reading
Is your organization capable of having true information security governance? In our expert Q&A, Shon Harris reveals the ideal components of a ... Continue Reading