In many ways, large organizations are no different than small organizations – they both are subject to threats and must account for vulnerabilities. How risk is mitigated may vary minimally; the biggest difference is that solutions for large organizations must be able to scale.
The bottom line is that every organization faces common and unique sets of risks, and every organization defines its own levels of risk tolerance. The risk posture and corresponding security initiatives must be calibrated in that context.
The approach I advocate is to start by bringing all internal stakeholders together in a collaborative forum. I think it’s critical that information security leaders find a way to provide visibility throughout the organization and get communications flowing so they can build a collaborative spirit and obtain buy-in from all impacted parties. Together, the group can identify the organization’s “crown jewels,” be they systems, applications, or information. They also can best determine where the “third rail” issues reside that would create unacceptable consequences should they come to pass. With this information in hand, you can prioritize the risks and focus on solving the issues.
BYOD adds a layer of complexity, no doubt. Everyone recognizes it brings benefits and drawbacks to the table. That said, its adoption is inevitable in most organizations, so I think you should sensibly embrace it instead of battling it.
BYOD drives a change in the way we think – we must be laser focused on protecting our virtual assets, because they will reside on a growing number and variety of devices that are not exclusively under our control. For me, that means taking extra precautions in close proximity to our intellectual property crown jewels, while empowering employees to leverage BYOD as much as possible to maximize their productivity.
Is it realistic to expect an organization will get ready to address all potential security risks? How much preparation is good enough? How do you tolerate risk?
Unlike the physical battlefield, cyber warfare is changing far more rapidly, with an unlimited number of permutations and combinations. There are so many more points of vulnerability, and the science is advancing at lightning speed. So, addressing all potential security risks may be outside the realm of possibility, but you have to try. This is where the value of building a team of stakeholders who can collaboratively prioritize the risks comes into play, so you can best prepare for the most likely scenarios.
My mantra is, “Don't become complacent.” Challenge yourself and your organization to move outside of your comfort zone. Static defenses like the Maginot Line didn't work in the 20th century, and their cyber-security equivalents will suffer a similar fate. Be resilient and always maintain a forward-leaning security posture.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.