You need a foundation before rising your house.
Avoid complexity when you talk of security, back to basis
I just get around a really interesting piece of news that talk about the last IT Security Summit conference of the Gartner research center. Normally peoples that talk in these shows talk about what you need in your enterprise to upgrade your security. Normally they talk about the last technology that you need to be up-to-date and a foot ahead of hackers. Victor Wheatman, vice president and research area director at Gartner said the opposite. His speech was about what enterprise don’t need in the field of computer security technology. He says that they need to go back to basis if they really care about their security infrastructure.
Wheatman also singled out “500-page security policies” and security awareness posters as things an IT manager would be better off not spending company resources on. “You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late.”
It’s the same as for physical security. If you are not the president of the United-States, you don’t need 10 bodyguards, an aerial surveillance and 15 hidden snipers when you walk on the street. You only need some awareness basic principles. A basic procedure like the code color of Jeff Cooper. More complex the procedure is, less people will follow it. It’s the same principles as them in self-defence. You’ll not use your kung-fu style if you are assaulted in a bar. You’ll use your gross skills that don’t need any reflection to use. You’ll not look at every person and think about all possible scenarios when you walk on the street. You unconsciously check for hints that can lead to a possible threat. It’s the same thing with a computer security policy; you need it as simple as possible for all of your employees. If you protocol is not simple and straight to the goal, your employees will not follow it. You can do one more elaborated for your system administrator, but not for your normal employees, this is not there job and they are a big part of your security infrastructure, take care of them! This fact is a question of human nature.
Another interesting thing that I noted in this article is this discussion:
Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security.
“We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail,” Smith said. “But what you also must have is a champion at the board level. Without senior-level support, nothing will ever happen and you are doomed.”
I already discussed of this in this article some weeks ago. It just connects my thoughts with this fact.