Where Preparation is Inadequate Security Vigilance is Paramount

As a business executive you do not need to understand hashes, ciphers and cryptography any more than you do the degradation algorithms for roads in sub-tropical environments, or the chemical reactions leading to algal blooms in community waterways. There are specialists whose job it is to manage those complexities.

But just like these scenarios, your job as a business leader is not devolved. When it comes to organisational security you must be able to answer the question “what would we do when risk mitigation fails and a potential event becomes a real and present issue”.

Basically, how will you respond?

The reality we observe is that senior executives and decision makers are operating in a period where vigilance is paramount but where preparation is sorely inadequate.

The PCA Security Profile Matrix (click to enlarge) provides a simple approach to allow executives to better understand their organisational profile based on approaches to enterprise security. This is the first step in being able to correctly identify the security protections your organisation needs when the inevitable occurs.

 

The PCA Security Profile Matrix characterizes organisations into one of four security capability models: Reactive, Proactive, Responsive or Intuitive. Each category:

  • has an identifiable set of security approaches which are accumulative through each level; whereby
  • responsibility for security management occurs across a shared or joint-responsibility matrix between the customer organisation and a range of different service providers.

The security services we’ve identified against the matrix are common, not exhaustive. They include technologies, services, processes and roles and are sufficient to provide a lead-indication of overall current organisational capability.

 

security-profile-matrix-table

 

As we have articulated many times before, security is a business problem and not a technology problem. Think about your own personal credit cards. When they are breached and you receive an SMS or a telephone call from your bank, do you pause for a second and think, hang on I better let the IT person in my house know? No you don’t. IT security should not be thought of any differently.

While the threat vectors are more diverse within an enterprise environment, the antagonist is looking to do the same thing as a credit card skimmer. They wish to access or use information to which they are otherwise not entitled.

The implications for such breaches are well documented: brand and trust dilution, financial loss, destruction of capital and assets; and the list goes on.

Clearly until such time as the market returns to a single-throat-to-choke model it will be incumbent on every organisation to ensure a clear thread between, and ownership of each moving part within their overall security architecture.

Today the biggest mistakes you can make when it comes to security have nothing to do with technology. They are in fact:

  • Thinking that someone is empowered to take care of it – they aren’t.
  • Thinking that a security event won’t happen to your business – it will.
  • Thinking you or your organisation are “the smartest guys in the room” – you’re not.
  • Thinking every security professional or vendor peddles Fear and Doubt – they don’t.

Bottom Line: Businesses are generally under-prepared to deal with the reality of today’s pervasive digital threats. This has as much to do with the state of their legacy environments, or how they have always managed security, as it does with the fast pace of change acting upon the security sector within the ICT industry. Stop questioning whether to give security a budgetary boost in the next financial year. Assess your organisational profile today and understand your ability to respond. 

____________________

1. PCA defines Unified Threat Management as a platform comprised of a hardware-software appliance with a unified monitoring console capable of coalescing Anti-Virus, URL Filtering, Anti-Spam, Intrusion Protection, Application Control, Data Loss Protection, VPN and Reputation Defence.