Last blogg I spoke about federal regulations and if they were good or bad for security. In this blogg I go further into why these regulations are bad for security. Risk Management is not only about knowing your enemy, and knowing yourself. Looking into the horizon at your enemy, setting controls and policies to redirect your enemy. Sometimes the controls are not based on your needs but merely just checking off a box on an audit. When we accept a checkbox mentality you are accepting an industry norm or average bar that may not work for your organization. You will model your security based upon what is required and not what is needed. The checkbox mentality is what drives the "so what factor" upper management is forced to budget security to meet federal regulations. To change this checkbox mentality and raise the bar up from the minimum we must present a case based upon needs and not industry norm.
The federal regulations for security is a blanket or foundation to build risk management on. Many organizations fail to build upon those checkboxes and leave the company praying they get the threat before the threat gets them. With over 500 different government and industry related regulations in existence. Most organizations are forced to follow at least 100 or more of these regulations based on industry. They also have their own security policies to follow, and since federal regulations not only differ from policy it can sometimes contradict depending on geographical borders.
The ideal security mentality is checking the boxes off and still protecting the organizations assets. This comes to visibility and looking past the horizon and seeing everything that contributes to risk management, threats, asset criticality, vulnerabilities and in-place countermeasures. Once your organization has visibility they can understand the risk and optimize controls to mitigate it. Most organizations do not reach this level, cause of the checkbox mentality of IT managers, the "so what factor" of upper management and the failure to build upon the foundation of federal regulations.
The federal regulations for security is a blanket or foundation to build risk management on. Many organizations fail to build upon those checkboxes and leave the company praying they get the threat before the threat gets them. With over 500 different government and industry related regulations in existence. Most organizations are forced to follow at least 100 or more of these regulations based on industry. They also have their own security policies to follow, and since federal regulations not only differ from policy it can sometimes contradict depending on geographical borders.
The ideal security mentality is checking the boxes off and still protecting the organizations assets. This comes to visibility and looking past the horizon and seeing everything that contributes to risk management, threats, asset criticality, vulnerabilities and in-place countermeasures. Once your organization has visibility they can understand the risk and optimize controls to mitigate it. Most organizations do not reach this level, cause of the checkbox mentality of IT managers, the "so what factor" of upper management and the failure to build upon the foundation of federal regulations.
No comments:
Post a Comment