Improving IT security and implementing governance controls is a high priority concern for corporate decision-makers. With IT security requirements continually changing as new threats emerge, the implementation of a strategic solution which delivers results upon completion at an arbitrary point in the future is not always feasible when security threats exist in the here and now. Augmenting strategic delivery with tactical activity is a fundamental requirement often overlooked.
Several high-profile security breaches have been reported in the media and have been the cause of great concern, and rightly so. But to what extent are assurance statements made to demonstrate corrective action which, in practice, have very little substance behind the words? For example, reporting that a consulting company is undertaking a review, will publish the findings, and agree on actions based on their recommendations. This pending review might offer some protection in the event of a data breach. You could respond with “we know about the problems, and the matter is under investigation to mitigate the risks”, however, this does little in the short‑term to protect corporate systems and more to protect against ignorance and negligence.
Defining a set of tactical activities to reduce exposure to risk in the here and now, combined with a strategic review to address risk in the long-term, will make a world of difference.
Information security, risk management, internal audit, and governance professional with over 25 years of post-graduate experience gained across a diverse range of private and public sector projects in banking, insurance, telecommunications, health services, charities and more, both in the UK and internationally – MORE