When I was a teenage a Gym instructor told me that if I workout 1hour everyday for 3 months I can certainly build a healthy and well shaped body. However, he also warned me not to overdo exercises. He clearly warned me that if I start doing workout for 5-6 hours per day for (say) 15 days it’s only going to harm my body.
Point taken and I am sure most of us will agree with this piece of advice.
I wish management executives understand this wisdom and start applying the same in IT Security and risk management projects, more specifically in compliance projects.
Time has come when at least large organizations are under pressure to meet the compliance & regulatory requirements. Certainly it’s a long awaited milestone and will have significant impact in developing a positive security posture. However conventional style of project execution involving pushing your team members hard to reach targets ASAP may easily lead to frequent failures and finally loss of this long awaited opportunity.
Reaching compliance levels is not a 2-3 months job (unless and until organization/team is very small). We may have such short duration projects for planning and preparation of external certifications such as ISO27001 or PCI (Though not recommended). Still to have a sustainable and secure environment we will have to have a plan extending in years not just months. Not to forget that, even if you have received external certifications in 2-3 months you are bound to go for regular reviews which will require a sustainable security posture.
To succeed in forthcoming reviews and become really resilient to IT Security Risks, your employees and process owners must dissolve the policy, process and procedures in their day to day working. Just attending security awareness trainings and then signing attendance sheet will not solve the purpose. I have seen many cases where employees have gone through a lot of security trainings or quizzes but still they don’t understand the basics of their company’s security procedures.
Organizations will have to realize that attaining a sustainable security posture is a gradual process and may easily take years and multiple reviews. Have patience and work with your employees. Let it become part of your organization’s work culture and gradually cost of security projects will start coming down system administrators as well as end users will become proactive. Reporting of security incidents will not be considered as a time wastage activity and Information Security Managers will no more be considered as police man.
Thursday, June 26, 2008
Subscribe to:
Posts (Atom)