Been thinking a lot about security lately. I think the 60 minutes video on Cyber Attacks was enlightening. If you’ve not seen it, you can catch it on-line at the CBS site or the link above. Today I spoke to someone on the phone in another enterprise who commented that they were very fragmented and under-investing in electronic security and I just shook my head. It seems like this is an area that you simply must keep investing in, asking questions about, and touching over and over with your team and others.
I am spending more time in this area and I keep challenging myself and others to try to think about the things we don’t know. That sounds ridiculous, but that is the real problem. We don’t know what we don’t know and we’ve got to keep seeking out the edges and the new happenings in the cyber world and the latest learnings by others.
Several specific things are needed in this space. First, organizations need to have people who attend trade shows and conferences on electronic security to see what is happening ‘out there.’ Second, organizations should have dedicated in-house resources who spend 100% of their time on this domain. You just need to have your own experts for advice and focus in this area. Third, I think you need to adopt industry practices or standards (ISO 27001 and ISO 27002) to help you make sure you are covering all the right domains. Finally, I think that you need to occasionally engage with 3rd parties to test your security. You can’t just trust you are doing the right things, you’ve got to be tested by someone else.
This is a challenging area. As I said in an earlier post, it is one of the two areas in IT were you never really reach the destination, you never can sit back and relax.