Too many businesses of all sizes try to attack security threats on a piecemeal basis rather than develop a strategic plan for the entire organization.
The single most commonand most damagingerror in IT security practice is the failure to approach it from a strategic perspective.
IT security is a complex and competitive endeavor. Attempting to address individual issues without a clear and consistent sense of the larger picture is like trying to play chess without being able to see the board or any of the pieces.
Nevertheless, businesses, large and small, continue to tackle problems and potential problems on an ad hoc basis, facing them one by one once they are perceived as crises. As a result, they not only end up with bad security, but spend far more than they should in the process.
Read more here about security risks caused by the widespread use of instant messaging.
If this is such an obvious and common mistake, why do people keep making it?
First of all, contrary to common belief, information security is not a technology problem. While it has a major technological component, it is actually system-wide issue that touches on nearly every aspect of business practice and planning.
As such, strategic planning requires an active collaboration between IT and management staff. IT staff need to educate management about the nature and degree of security risks, appropriate responses, and the technical benefits and costs of various defensive approaches.
Management, on the other hand, needs to work with the IT staff to make informed decisions about appropriate levels of risk tolerance. It also needs to review non-technical security measures, and incorporate both technical and non-technical measures into broader business practices.
This kind of collaboration would be exceedingly difficult under of the best of circumstances, and security issues definitely do not present the best of circumstances. While good security may prevent serious losses, it very rarely brings in money.
Security risks, moreover, are notoriously difficult to predict and quantify. As such, management staff tends to view preventative security measures as something of a luxury, particularly if they have never experienced a major security breach. Indeed, they often tend to view IT staff who advocate for improved security as alarmist or paranoid (though, to be fair, this view is not always unjustified).
Click here to read why security seems to be relaxing even as IT disruption threats are rising.
IT staffers, for their part, often fail to place security concerns in context, focusing on technology issues to the exclusion of all else.
This makes communication with non-technical staff even more difficult and can further feed the perception of IT staff as alarmist by encouraging proposals that, while technically elegant, are overly burdensome or otherwise unfeasible in practice.
Next Page: Committing resources