Ideally constructing a building (e.g. house), you start from 0 to 100, i.e. build a foundation, erect the structure then fit the windows, roof and finish off with the cosmetic tasks like painting, plumbing etc. While this kind of building up is ideally and feasible for physical construction of things like e.g. a house, aeroplane etc, might not be so ideally for building business information security programmes, given that information security for years, have been an afterthought practise e.g. systems were developed and then security folks been asked to add-on security controls or a layer of the security on top of insecure system, and this was not security by design or security by default.
While for the most organisations I have had an honour to visit or assess, they may have a formalised security programme or information security management system (ISMS) where they coordinate the information security activities coherently, or some of them may have not have a formalised security programme at all. The question(s) I have been asking myself, can someone start from the middle or put together whatever you have to have a completed business information security architecture?
YES – I think is the answer to this question according to me and what I have seen so far. In the next post, I will expand more on how the organisation can start in the middle and complete their business security architecture.
Sony, Target, Equifax, Facebook, Kaspersky, Iran Nuclear Plant , do these names ring a bell?
You might noticed them from the newspaper headlines (or a blog post somewhere like dark-reading, theregister). What they have in common is that there are big organisations, and all have been breached at one point in their business lifetime. The question is not whether you are going to get breached, it is matter of when? and the question to ask yourself, is do you have enough resilient controls to make your business sustain these attacks and continue serve your customers or the public?
If the reality hasn’t sunk in yet, I think it is the right time to review your Incident Response Plans and your infrastructure and processes resilience (and dont forget your PEOPLE, their resilience matters the most).
In preparation to build the resilience needed to respond to attack, it is better to start at the grassroots level with the following questions:
- Why most organisations are not prepared to respond to security attacks?
- What is the reasonable resilience look like from three dimensional of Technology, People and process (TPP)
On the next post, I will expand these two questions, for now let’s leave it here