All security risks start with a decision

Most information security risks don't start with a technical problem. They start with someone making a choice.

The HR department gets the green light for implementing new software, without getting confirmation of the state of information security at the vendor's side. The employee deciding to use his private mail account with an online file conversion tool. The employee given access rights while they haven't been formally defined yet for her new function. The project that started without identifying the owner of the new data source.

This is the blind spot of information security: daily decisions in organizations that are in constant flux, taken by employees that are not aware of the risks they are introducing.

The most secure organizations are those, where leadership realizes that every decision touches on security, and you can't make information security the exclusive responsibility of IT.

Strong security is achieved by integrating risk assessments in decision making, and integrating business processes and IT processes. Expensive tools and complex implementations are not required.

Do you want some examples? Here are four simple initiatives:

Create a standard information security questionnaire for Purchasing, to hand out to any proposed vendor.
Have HR check with IT on access rights when they're writing the new job profile – not when the new employee enters the door.
Make risk analysis a mandatory part of each project plan.
Debrief leaving employees on the tools they actually used and take proper care of transferring accounts and information.

Don't just ask the question: "How will we make this a success?", but also ask: "How do we prevent things going wrong, and who owns that?"

— Security as an organizational challenge — post 2/3

#managingsecurity

2.4 KiB Raw Blame History Unescape Escape

All security risks start with a decision

2.4 KiB

Raw Blame History