Thursday, June 23, 2005

Top Security Mistakes to avoid

#94 As I consult and do security assessments with many customers, I am fairly accustomed to telling them what to do. However, every now and again a shrewd IT manager or CSO/CISO will ask me "What mustn't I do?". Initially I couldn't provide an answer, but after a while I understood the crazy logic. Faced with the challenge of 100 things that need doing in a security program, perhaps it does make sense to look at the things NOT to do first - maybe the list is shorter and it will help you prioritise things!

And so I started a list of top CSO/CISO mistakes that I would observe in my dealings with them in the hope of sharing it with them next time I got asked that "difficult question". The focus I adopted was the mistakes that IT depts. or heads of security programs could avoid that could be career-limiting, that I observed in my daily dealings.

I came accross the article in the heading link of this post today and really enjoyed it. It focusses on the top-7 customer mistakes, from a more technical controls and approach perspective. First it confirmed what I was observing and second, it helped me prioritise the list of things I currently already had. Thirdly, the author had spent some time describing the details behind his top 7 mistakes. This is a worthwhile read for us and customer alike.

Here is my list I use for my customers, some overlap with those mentioned in the article and combining the two lists creates a great "What NOT to do!" list of 20 things;

(NOTE: This posting has been revised and improved, go here to see revised version.)

1.“It will not happen to us” or “The problem will go away”
2.“Virus infections are just a nuisance and not a BC issue”
3.Authorizing reactive short-term fixes
4.Failing to realise the value of their information and organisational reputation
5.Failing to realise the costs of lost productivity and downtime
6.Rely primarily on Firewall and Antivirus
7.Failure to deal with the operational aspects of security
8.Failure to understand relationship of information security to the business problem
9.Assign untrained people in unorganised fashion to maintain security
10.Underestimating the costs of “catching up when the need arises”
11.“I can’t be held legally liable for lax information security”
12.Security is the IT departments problem
13.“My management are not concerned so why should I be?”

NOTE: This posting has been revised and improved, go here to see revised version

Rate this post: (Provided by NewsGator)


Post a Comment

Links to this post:

Create a Link

<< Home