Where do you start to improve your security? With the cause or the effect?

As organisations identify security improvements to better protect their assets, they also realise that scarce resources can only be used once; to improve performance, or to reduce risk. Although sometimes you are lucky, and both can be done at the same time.

And do you also explicitly consider to use your resources to stop the incident or to solve the problem, resp. to focus on the short term, or on the long term?

   

 

 


Every time you determine that a security weakness exists in technology, please do consider what is the root cause of the weakness that you want to mitigate:

  • Technology – Were technology configuration settings, or even worse, technology choices, the cause of a security weakness?
  • Process – Was a process missing that could have avoided the technology weakness, or was a process not operating effectively?
  • Governance – Was management aware of the flaw, and not adequately responding to the issue?
  • Culture – Was the focus of the organisation merely on performance improvements, and only limitedly on risk management?

For example, consider an identified missing and relevant security patch. In this case, obviously, you can improve by implementing the missing patch. And please, if you observe such a weakness, take a moment to also consider the real cause. So, do answer the question: Why is this patch not implemented? Was it a flaw in the patch management process? Who decided about the patch management process, and who were informed about issues with regard to the patch management process, was the reporting adequate? And did management respond to identified security patching issues? Was the cause of the missing patch that performance was valued over risk, or worse, is the organisation unconsciously increasing its risk profile?  

So, once you notice a security weakness in technology, do determine its cause at a higher level: process, governance, and even culture. 

And the homework of this week: do consider a number of known security weaknesses in technology. Deduce what are the likely causes in governance and culture. Do you recognise a pattern?

Let this homework bring you to a higher level!