Top Security Mistakes to avoid
And so I started a list of top CSO/CISO mistakes that I would observe in my dealings with them in the hope of sharing it with them next time I got asked that "difficult question". The focus I adopted was the mistakes that IT depts. or heads of security programs could avoid that could be career-limiting, that I observed in my daily dealings.
I came accross the article in the heading link of this post today and really enjoyed it. It focusses on the top-7 customer mistakes, from a more technical controls and approach perspective. First it confirmed what I was observing and second, it helped me prioritise the list of things I currently already had. Thirdly, the author had spent some time describing the details behind his top 7 mistakes. This is a worthwhile read for us and customer alike.
Here is my list I use for my customers, some overlap with those mentioned in the article and combining the two lists creates a great "What NOT to do!" list of 20 things;
(NOTE: This posting has been revised and improved, go here to see revised version.)
1.“It will not happen to us” or “The problem will go away”
2.“Virus infections are just a nuisance and not a BC issue”
3.Authorizing reactive short-term fixes
4.Failing to realise the value of their information and organisational reputation
5.Failing to realise the costs of lost productivity and downtime
6.Rely primarily on Firewall and Antivirus
7.Failure to deal with the operational aspects of security
8.Failure to understand relationship of information security to the business problem
9.Assign untrained people in unorganised fashion to maintain security
10.Underestimating the costs of “catching up when the need arises”
11.“I can’t be held legally liable for lax information security”
12.Security is the IT departments problem
13.“My management are not concerned so why should I be?”
NOTE: This posting has been revised and improved, go here to see revised version
posted by Dwaine at 6/23/2005
0 Comments:
Post a Comment
<< Home