Top Security Mistakes to avoid Ver 2
OPINION PIECE
The first time we posted this opinion piece it was one of the most popular stories read last month on this blog. Since it was posted we have collated the findings of our global CxO Security Assessment survey and are now in a position to improve and revise the list of Top customer security mistakes, this time separated into "Soft mistakes"(less obvious/subtle mistakes) and "Hard Mistakes" (more obvious and conscious mistakes.)
The story behind this list is as follows : as I consult and do security assessments with many customers, I am fairly accustomed to telling them what to do. However, every now and again a shrewd IT manager or CSO/CISO will ask me "What mustn't I do?". Initially I couldn't provide an answer, but after a while I understood the crazy logic. Faced with the challenge of 100 things that need doing in a security program, perhaps it does make sense to look at the things NOT to do first - maybe the list is shorter and it will help you priorities things!
Soft Mistakes
The first time we posted this opinion piece it was one of the most popular stories read last month on this blog. Since it was posted we have collated the findings of our global CxO Security Assessment survey and are now in a position to improve and revise the list of Top customer security mistakes, this time separated into "Soft mistakes"(less obvious/subtle mistakes) and "Hard Mistakes" (more obvious and conscious mistakes.)
The story behind this list is as follows : as I consult and do security assessments with many customers, I am fairly accustomed to telling them what to do. However, every now and again a shrewd IT manager or CSO/CISO will ask me "What mustn't I do?". Initially I couldn't provide an answer, but after a while I understood the crazy logic. Faced with the challenge of 100 things that need doing in a security program, perhaps it does make sense to look at the things NOT to do first - maybe the list is shorter and it will help you priorities things!
Soft Mistakes
- Not having an information security strategy
- Failure to get executive support for your security program
- failure to track key security metrics
- Thinking that security is only a technology or IT Dept. problem
- Underestimating the costs of "catching up" when the need arises
- Thinking that you can't be held liable for lax security
- Equating compliance with security
- Failure to realize value of your information and organizational reputation
- Failure to understand relationship of IT to the business process
- Failure to consider security in outsourcing and collaboration relationships
Hard Mistakes
- Authorizing short term "knee jerk" fixes
- Assigning untrained people in unorganised fashion to maintain security
- Failure to recognize importance of security awareness programs
- Failure to realize that traditional perimeter security is dead
- Failure to protect laptops, PDA's and corporate home-use computers
- Failure to institute effective change management
- Failure to implement a defense-in-depth strategy
- Failure to learn from others' mistakes!
- Failure to implement a vulnerability management strategy
- Failure to realize that viruses, worms, spyware and Spam are a business continuity issue and not just a nuisance.
RELATED TOPICS : This article was subsequently published in a few European countries.
CATEGORIES: 1opinion piece, 1trends, 1best practices,1survey, 1users
posted by Dwaine at 10/20/2005
0 Comments:
Post a Comment
<< Home