Lets start with a question to get in the right frame of mind. "What is your organisation’s priority? Corporate security compliance or protecting your and customer data?”. The second question is whether your answer and your organisation’s security strategy are aligned?
There are three answers to the first question. Some readers will answer “both” to play it safe. However, if your answer is corporate security compliance then it is not necessary a bad answer. Many organisations expect that by adhering to security compliance frameworks such as ISO/IEC 27001 and PCI DSS that an appropriate level of security should have been designed and implemented in your technical and process systems. For some organisations an appropriate level of security is enough and therefore they are satisfied with following a compliance focused security strategy. They also trust that the security compliance frameworks are good enough to protect a general scope of their business. This is where I have concerns about following compliance focused security strategies.
For me, the third answer is that an organisation must focus on protecting their business and customer data. I know that probably everyone recognises that this is the correct answer, however, from my experience with organisations, it is important but it’s not really reflected in the way organisations’ approach and manage security. With greater use of outsourcing year on year in key areas such as corporate email systems and payment processing (according to the 2014 Information Security Breaches Survey by PwC), there are many risks and threats that need to be considered, understood and managed. The security compliance frameworks should be designed and implemented into your organisations as part of the security baseline. A fundamental layer of security on which more advanced security layers exist. These advanced layers should be focused on protecting your organisations and customer data and should be based on the threat vectors of your organisation’s profile. I think gone are the days when organisations really think about real security. Most conversations are about compliance to standards. There are many large organisations that have been hacked recently that probably designed and implemented more than a few security compliance frameworks. Can you afford to ignore the greater success rate of the hackers?
I know what I’ve said is basic, but some organisations are skipping the basics. The questions are…does your corporate security strategy hold any value? Is it really driving how you are going to manage security now and in the future? Are you interested to find out what real security means for your organisation or are you satisfied with compliance?
Honest thoughts and answers please.