In your opinion, what are 3 key elements to succeed in a positive security culture and what tips can you provide to implement change, successfully?
I’ll address this month’s question from a small business perspective only (max 3 FTE in IT):
FREE Download: CISO Data Breach Guide
In a small enterprise, finding support and budget space for security is very difficult in most cases. It gets even worse due to the fact that anything you do will likely only “patch” the most obvious holes while leaving others in place. As is the case with most AV’s, this could just create new attack vectors.
Security is difficult for small enterprises. It’s so hard that I’ve even started advocating for the creation a “minimum viable security” concept for small- and maybe also medium-size companies. Were such a concept to be developed and published, it would then be up to security/services companies to prepare a package of products, services and training protocols that could be delivered to SMBs at an attractive price.
I think this is one way smaller organizations could be helped to create unique positive security cultures.
Another option for small enterprises is simply to outsource everything and/or store most of their infrastructure in the cloud. That option could simplify things, but it would also require a lot of trust on the part of businesses. Are you really prepared to trust third-party companies to this degree? Outsourcing means fewer employed FTE’s, which in turn means fewer employees who actually care about security. At the end of the day, maybe fully outsourcing one’s infrastructure actually weakens an organization’s security culture by depriving it of agency.
I’m sure a lot of my fellow CIOs actually do trust their cloud providers, but should they? Promoting trust is easier than providing actual security, so I’d recommend that cloud providers remove those grey areas from their contracts and work with their clients to increase security. Better yet, they could offer a transparent and affordable security package that works.
Claus Cramon Houmann | IT Security Consultant |@ClausHoumann
To find out more about our panel members visit the biographies page.