So first off, I think awareness and education is an important part of any comprehensive security program. BUT you can't think that just by talking about security or training people on what to do to reduce the chance they are a victim of an ID theft, phishing, or other attack that you have significantly changed the risk profile of your company!
I've recently seen a couple of Senior security leaders expound on the fact that they just need to bring the knowledge to the company, and leave the rest to the operational people (Sysadmins, network admins, etc.) to actually implement any controls, etc.
This fails on many levels. Without proper leadership, oversight, and guidance, the IT Operational teams won't know if they've met the requirements of the policies, best practices, etc. Someone needs to tell them to do more, do less, or they've hit the mark. This needs to be consistent and comply with all appropriate regulations, compliance requirements, etc.
The basic controls must be documented, standards must be developed and documented, processes must be created in conjunction with stake holders, and the controls must provide metrics and results that are measurable (and can be tuned, improved, etc.) and this all must match the company's risk appetite and work along side the company's business objectives.
To expect that training alone will solve all of these issues is sheer sophistry.
->Pierre
I've recently seen a couple of Senior security leaders expound on the fact that they just need to bring the knowledge to the company, and leave the rest to the operational people (Sysadmins, network admins, etc.) to actually implement any controls, etc.
This fails on many levels. Without proper leadership, oversight, and guidance, the IT Operational teams won't know if they've met the requirements of the policies, best practices, etc. Someone needs to tell them to do more, do less, or they've hit the mark. This needs to be consistent and comply with all appropriate regulations, compliance requirements, etc.
The basic controls must be documented, standards must be developed and documented, processes must be created in conjunction with stake holders, and the controls must provide metrics and results that are measurable (and can be tuned, improved, etc.) and this all must match the company's risk appetite and work along side the company's business objectives.
To expect that training alone will solve all of these issues is sheer sophistry.
->Pierre
Comments