In battling the Infinite with the Finite (that is: battling expanding, limitless, threats – with your budgeted, and therefore limited, resources) we must recognize that:
– Cost per incident is increasing.
– Malicious attacks rival human error as the #1 cause of breaches.
– Keeping up with threats, by sheer number and evolution, is ever more difficult.
– Scams are more targeted; to business and individuals based on who they are, what they do, and how.
– Scams look ever-more like legitimate communications and solicitations (by virtue of “inside” information and references, as well as things such as format, style, aesthetics, etc.).
The best defense is not a sole-source protection. What good is a robust IT awareness when threats are streaming into the face of Business? IT is but one department among a host of departments and outside entities with whom the organization does business.
The business of securing business is handled by Business… and IT.
A marching, head-on, approach and broad front engagement is necessary: a “community” awareness and shared responsibility amongst all departments and users is necessary. Everyone is a stakeholder in having a secured organization, and everyone has a responsibility in maintaining and advancing security. Everyone must own security.
This includes knowledge – and understanding – of organization-wide security policies, procedures, treatments (of assets and data), and reportage and remediation of issues.
This is not only the best defense… it must be the best offense. Proactivity is key in the face of strategic threats.
Defense is too often static and reactionary. An offensive security posture means that the organization is scanning the horizon looking for threats to engage and thwart: Meet the threat before it matures and where the organization has a natural security momentum for meeting, engaging, and defeating the threat before it manifests as a bad outcome.
As an example of this dynamic, imagine a specific scam that is targeting organizations/business such as yours: Given the organization’s forward security posture, everyone in the org is keenly aware of security news and reportage of gathering threats. Someone, anyone, in the organization reports the threat through e-mail, raises it in an all-staff meeting, trots into IT on their way to get a cup of coffee… IT downloads a patch, updates malware protection, sends out a community-wide communication with sanction from governance… updates policy… and so on.
That is where awareness and action comes in – through the knowledge shares (such as this one), through collaboration with other organizations, through actualizing everyone’s engagement as a stakeholder, an owner, of the organization’s health and surety.
In battling the Infinite, this is what it is going to take. This is what it already takes.
Get on it.
August 23rd: On this day in 1617, the first one-way streets were established (London).