Five Warning Signs Your Security Policy Is Lacking
Warning signs of a weak security policy from SunGard Availability Services
When it comes to security, there's a natural tendency to think in terms of technology. But in reality, a lack of security has more to do with the absence of processes to ensure that we have security than any particular missing piece of technology.
With that in mind, Christopher Burgher, associate principal with SunGard Availability Services' Security Consulting, has come up with five signs that would strongly indicate that your organization has no real process in place in terms of managing security. According to Burgher, missing one of these signs might not be fatal, but chance are pretty good that if you're missing two or more, it's just a matter of time before some form of security crisis comes your way.
Burgher says that most IT organizations are not aggressive enough about managing security as a cost to be avoided. That means that rather than invest in a raft of technologies that are largely unmanaged as they relate to any security process, IT organizations would be better off if they simply took a step back to assess which data needs to be secured -- and when. In addition, Burgher notes that if nobody is actually responsible for managing security processes at a senior level in the company, that means nobody in the company is accountable for security.
Most IT organizations will eventually find that compliance requirements are driving most of their security requirements, so the next best thing they can do after establishing their security policies is start thinking in terms of how many of those processes can be automated. All too often, the cost of security is tied up in manual processes that require expensive security talent to implement. Paying high-priced talent to manually check configurations, for example, is a significant waste of time and money.
Most of what Burgher is describing here can be filed under the heading of common sense. But you would be amazed at the masses of organizations that have bought every type of security product ever known without ever setting up any kind of security process for those products to implement.