Improving IT security and implementing governance controls is a high priority concern for corporate decision-makers. With IT security requirements continually changing as new threats emerge, the implementation of a strategic solution which delivers results upon completion at an arbitrary point in the future is not always feasible when security threats exist in the here and now. Augmenting strategic delivery with tactical activity is a fundamental requirement often overlooked.
Several high-profile security breaches have been reported in the media and have been the cause of great concern, and rightly so. But to what extent are assurance statements made to demonstrate corrective action which, in practice, have very little substance behind the words? For example, reporting that a consulting company is undertaking a review, will publish the findings, and agree on actions based on their recommendations. This pending review might offer some protection in the event of a data breach. You could respond with “we know about the problems, and the matter is under investigation to mitigate the risks”, however, this does little in the short‑term to protect corporate systems and more to protect against ignorance and negligence.
Defining a set of tactical activities to reduce exposure to risk in the here and now, combined with a strategic review to address risk in the long-term, will make a world of difference.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.