From all of the security controls an organization could deploy, which one do you feel adds the most actual value for day-to-day information security and why?
In my opinion, there is but one control that is key to all the others: Competence. Competence comes in a number of ways, including:
– Awareness (ability to recognize a situation, and act on it)
– Skills (ability to do a task correctly)
– Motivation (ability to do the right call of action, even if there are easier ones available)
This is obviously not a complete list!
From a security perspective, competence is the control that enables the organization to recognize threats early, to act on an incident in a constructive and loss-reducing way, and a key to have your employees accept and follow the policies you implement.
Competence is a vital part of building security culture. Building and maintaining security culture should focus on building competence, and then use policies and technology to make it easy for the employees to do the right thing. After all, if I do not know what response you expect me to take during an incident, how can I do the right thing?
If you are uncertain of how to build security culture, you can always partake in our discussion at the Security Culture Framework community: https://scf.roer.com It is even free.
Kai Roer | The Roer Group | Senior Partner | @kairoer
To find out more about our panel members visit the biographies page.