Improving IT security and implementing governance controls is a high priority concern for corporate decision makers. With IT security requirements continually changing as new threats emerge, the implementation of a strategic solution which delivers results upon completion at an arbitrary point in the future, is not always feasible when threats to security exist in the here and now. Augmenting strategic delivery with tactical activity is a fundamental requirement that is often overlooked.
A number of high-profile security breaches have been reported in the media and have been the cause of great concern, and rightly so. But to what extent are assurance statements made to demonstrate that action is being taken which, in practice, have very little substance behind the words? For example, reporting that a consulting company is undertaking a review, that the findings will be published, and actions will be agreed based on their recommendations. This might offer some protection in the event of a data breach, that they know about the problems and that the matter is being investigated to mitigate identified risks. This does little in the short‑term to protect corporate systems and more to protect against ignorance and negligence.
Defining a set of tactical activities to reduce exposure to risk in the here and now, combined with a strategic review to address risk in the long-term, will make the world of difference.