As organisations identify security improvements to better protect their assets, they also realise that scarce resources can only be used once; to improve performance, or to reduce risk. Although sometimes you are lucky, and both can be done at the same time.
And do you also explicitly consider to use your resources to stop the incident or to solve the problem, resp. to focus on the short term, or on the long term?
Every time you determine that a security weakness exists in technology, please do consider what is the root cause of the weakness that you want to mitigate:
- Technology – Were technology configuration settings, or even worse, technology choices, the cause of a security weakness?
- Process – Was a process missing that could have avoided the technology weakness, or was a process not operating effectively?
- Governance – Was management aware of the flaw, and not adequately responding to the issue?
- Culture – Was the focus of the organisation merely on performance improvements, and only limitedly on risk management?
For example, consider an identified missing and relevant security patch. In this case, obviously, you can improve by implementing the missing patch. And please, if you observe such a weakness, take a moment to also consider the real cause. So, do answer the question: Why is this patch not implemented? Was it a flaw in the patch management process? Who decided about the patch management process, and who were informed about issues with regard to the patch management process, was the reporting adequate? And did management respond to identified security patching issues? Was the cause of the missing patch that performance was valued over risk, or worse, is the organisation unconsciously increasing its risk profile?
So, once you notice a security weakness in technology, do determine its cause at a higher level: process, governance, and even culture.
And the homework of this week: do consider a number of known security weaknesses in technology. Deduce what are the likely causes in governance and culture. Do you recognise a pattern?
Let this homework bring you to a higher level!
Er zijn nog geen reacties geplaatst
Inloggen voor Mijn Cqure leden
Bestaande leden kunnen inloggen met e-mail en wachtwoord. Heb je via een social media account geregistreerd of deze gekoppeld aan je account? Kies dan het gekoppelde platform om in te loggen.
Login met e-mail en wachtwoord:
Nog geen Mijn Cqure account?
Heb je nog geen account? je kunt je aanmelden door het registratieformulier in te vullen, of door een social media account te koppelen. Het aanmelden is eenvoudig en binnen enkele ogenblikken geregeld.
De voordelen op een rijtje:
- Reacties onmiddelijk zichtbaar in Kennisplatform
- Eenvoudig inschrijven voor events
- Snel inloggen met Facebook of Twitter
- Formulieren aangevuld met jouw profielgegevens