This is a blatant self-promotion, so feel free to ignore it!
I presented today at the BrightTalk Summit ‘GDPR: One Year Later‘:Continue reading
The title should be; Why YOUR Information Security Policies (ISP) are Pointless, but I figured this title was far more contentious/click-worthy.
If you’ve come this far, you’re in one of two groups:
When I say that your ISPs are pointless, it’s because in all likelihood they are. Assuming you even have a policy set (policies, standards and procedures), ~20 years of consulting experience has shown that they invariably:
Bottom line is that I have never seen a policy set done well, and it’s not a coincidence that I’ve never seen security done well either. These two things go hand-in-hand and you absolutely cannot have one without the other.
Yes a decent policy set is ‘paperwork’, yes it’s bloody difficult and time consuming, and no, it’s not even remotely sexy, but don’t bother trying to get a security program in place without them. Seriously, don’t even bother, because it will fail.
Lego don’t send out a 4,000+ piece Death Star set without detailed build instructions, and that’s exactly what your policies, standards and procedures are; instructions on how to do security appropriately within your organisation.
So why don’t all security folks take this more seriously? Two main reasons; 1) they are so focused on technology that the processes fall to the wayside, and 2) they have tried over and over and finally gave up, electing to do what they can, knowing full well it will never be enough.
Security is about People, Process and Technology, in that order, because without a policy set you will have:
A decent set of information security policies ties all of this together into a sustainable program, and if you still don’t think they are that important, you are simply not paying attention.
[If you liked this article, please share! Want more like it, subscribe!]
There is an old wisdom story about a truck that gets stuck under a bridge. The details vary, but the gist is that all conventional [old school] thinking fails to solve the problem, but out-of-the-box thinking [a young girl/boy] gets the job done.
If you’ve not heard this overused (and yes, [pun intended] ‘tired’) analogy, the premise is that:Continue reading
In July/August 2014 the ALS Ice Bucket Challenge changed forever how charities should have organised their fundraising efforts. Replacing the usual guilt-trip approach with something fun/’socially mandatory’ resulted in hundreds of millions being donated to a cause few people had even heard of, let alone cared about.Continue reading
According to every statistic I’ve read, there is still a huge chunk of business owners who have not even read the GDPR yet, let alone done anything about it. To be clear; no matter the size of your business, you have to comply.Continue reading