Disconnect in organization’s Information Security vision ( expected level vs. implemented level)

-
Disconnect in organization’s Information Security vision 

Expected level vs. implemented level; Why there is always disconnect in organizations Information Security strategies in terms of accepted level vs. implemented level!!!   

In this era of global economy, ever-changing threat land scape and  enterprise risk due to cross-organization, collaborations and online trading’s bring information security has become business opportunity making service than ever thought possible. 

First, Organizations slightly struggling to discover their Crown jewels (Critical business machines include Sensitive data stored) in the perimeter less network, if they did next step to identify the  proper controls to protect (CIA -Confidentiality , Integrity and Availability). Here I believe most organizations getting misdirected due to short sights and some individual’s viewpoints. We have great practices on foundational-Common system - industrial architect and solution blocks, but while we transforming to organizational practice, short sight make the controls in small frame and neglecting the fact today's threat landscape is can’t limit through small frame.

 I do agree that we cannot use a frame to cover all risk to mitigate, but we have to reach a balancing point to make the right controls to mitigate, reduce, transfer or avoid the risk identified. And now a day we all spoke about compliance and Audit and I felt some organizations frame revolving around and limiting the frame by short sight, this mandate to be in place but not limited too.  Have to be strategic visionary to provide security along with other viewpoints towards delivery prospective, right employee & society awareness programs and, etc… 

Awareness programs became like windows installation steps next, next finish then a quiz. Sometime this become burdens to employees than thinking it’s not limited to organizational prospective and also part of social life safety. I believe the reason behind is the mindset and it was created by wrong assumptions about the Information security department as threatening and it’s preventing peoples to report incidents. We have to change the mindset of employees, support and encourage them on identifications and reporting prospective.  Information security training should be small and relevant so they can complete successfully and more over training content should feel its part of each person’s karma not limited to organizations and its extent to society. 

Same way other controls should be relevant and simple, complex nature bring risk. If you think  that complex and not possible to make it simple then we are not tried all possibilities or came out from our couch and comfort zones.

** Above all are my personal viewpoints and Views.

Comments

Post a Comment

Popular posts from this blog

‘Lazy’ in pet name called comfort!!

-
Image
Don’t be lazy to set minimum level of required security! Information Technology era shrinks the global economy into small virtual village with good and bad, as always two side of one coin, yes as usual olds were foresighted. Internet, Cloud and Big data are now great enabler for business and life. But some where we should keep the limit as it’s shouldn’t peak nose into our privacy and healthy life!!!  Each new technology brings human to more comfort than had and its make humans lazier and weaker. Anyway here I’m not focusing on life style and health impacts. As I’m fan of Wills Smith and his movie I, Robot, in the movie plot robot had the “three laws of robotics”   directives - to never harm a human or let a human come to harm, to always obey humans unless this violates the First Law, and to protect its own existence unless this violates the First or Second Laws. The reason I mentioned here human is important than any other. But our views are changing, Yes, we al...
Read more

Slideshare link for my public presentations

-
Image
Please refer the  slideshare Channel for slide documentation for below topics; 1. network basics and security components brief on functionality 2. vulnerability management  overview 3. virtualization and virtual security integration with IPS services 4. Intrusion detection and prevention system brief 5. Datalake and information security review
Read more

Security Incident Hand-off

-
Image
"Organization QWERTY Data loss for 10,000 record and its share value may drop " Rumor inside. I personally prefer to do  "Security  Hand-Off process"  while identifying the security incident based on the nature and directly impact the reputation or share values should be handled by experts from cyber security incident management ( like IBM CERT and ERS) and organization's CISO to lead the situation. Its mandate to have participation from customer side to validate the impact and its take necessary actions. Of course, among IT and Incident management peoples should have proper education on Cyber security and how to handle such substations and avoid rumor's. Which help organization to contain the situation to controlled manner to take right action. Then general incident team make such issues as noise and spread unhealthy news across and lead to dis agreed messages to outsides. and even some best practices in general Incident management practice need ...
Read more