There are lot of buzz words related to cyber security in terms of technology, processes and regulations in terms of compliance but very less is talked about the people i.e. human factor. moreover it's the people who use these technologies and data, who develops and follow these processes and regulations and hence its utmost important element in this trilogy PPT (People Process Technology).
Developing this human factor is the core of any security strategy be it physical or cyber security.
People have various roles in this ecology of the systems or assets such as normal end users, system or process owners, business stakeholders, administrators, security experts, production managers, security personnels etc.
When its comes to cyber security which is highly dynamic like a black hole in our space. PPT trilogy needs to be sufficiently balanced. A time has come that the mindset has to be changed which is also acknowledged by various regulations such ISO, PCI, HIPAA etc by making a mandatory requirements expecting commitments and setting the accountability, since business leaders and manager think that there is a dedicated personnel appointed who is solely responsible to the security matters while they forget to understand that information security is responsibility of every individual handling various kind of data as part of his day to day job and hence he as an individual is responsible for the confidentiality, Integrity and availability of that data.
Until now its was assumed that day to day maintenance and availability of business process and systems are the only tasks as part of business operation management but the way cyber world has evolved new threats have arisen majorly due to the human factor such as:
1. Not understanding the fact that as an individual they are responsible for the
Thinking Information Security is someone's job leads to serious impact such as corruption of data i.e Integrity, disclosing classified data i.e Confidentiality, impacting uptime and performance of business systems by lack of backups and restoration plan i.e Availability.
We are witnessing various compromises due to social engineering. Social engineering made ransomware become the most popular cyber weapon.
We must understand that Availability is one of the operation management task and hence operation managers need to understand that this factor can be impacted by:
1. Thinking patching and vulnerability mgmt is not part of operation management.
2. Thinking system hardening is not part of operation management.
3. Failing to understand the responsibilities as a custodian.
4. Failing to understand the importance of segregation of responsibilities
5. Thinking access control is the job of technology.
In short any kind of compromise is going to impact the uptime ie Availability of the systems.
I have been practicing information security for quiet good time and from my experience I could say the major challenge I have to come across is the mindset of people (seniors leaders, managers, admins & end users). Now we understand that how import is the human factor the next question would be how to mitigate this risk?
Answer is:
Developing this human factor is the core of any security strategy be it physical or cyber security.
People have various roles in this ecology of the systems or assets such as normal end users, system or process owners, business stakeholders, administrators, security experts, production managers, security personnels etc.
When its comes to cyber security which is highly dynamic like a black hole in our space. PPT trilogy needs to be sufficiently balanced. A time has come that the mindset has to be changed which is also acknowledged by various regulations such ISO, PCI, HIPAA etc by making a mandatory requirements expecting commitments and setting the accountability, since business leaders and manager think that there is a dedicated personnel appointed who is solely responsible to the security matters while they forget to understand that information security is responsibility of every individual handling various kind of data as part of his day to day job and hence he as an individual is responsible for the confidentiality, Integrity and availability of that data.
Until now its was assumed that day to day maintenance and availability of business process and systems are the only tasks as part of business operation management but the way cyber world has evolved new threats have arisen majorly due to the human factor such as:
1. Not understanding the fact that as an individual they are responsible for the
confidentiality, Integrity and availability of the data they are handling as part of their
day to day job.
2. Mindset that information security is someones jobs.
3. Inadequate training on information security.
4. Thinking that technology itself can protect businesses against security threats.
5. Assuming that just by formulating a process the security posture will improve.
6. Appointing security personnel but such appointments are ineffective and inefficient without management buy-in.
2. Mindset that information security is someones jobs.
3. Inadequate training on information security.
4. Thinking that technology itself can protect businesses against security threats.
5. Assuming that just by formulating a process the security posture will improve.
6. Appointing security personnel but such appointments are ineffective and inefficient without management buy-in.
Thinking Information Security is someone's job leads to serious impact such as corruption of data i.e Integrity, disclosing classified data i.e Confidentiality, impacting uptime and performance of business systems by lack of backups and restoration plan i.e Availability.
We are witnessing various compromises due to social engineering. Social engineering made ransomware become the most popular cyber weapon.
We must understand that Availability is one of the operation management task and hence operation managers need to understand that this factor can be impacted by:
1. Thinking patching and vulnerability mgmt is not part of operation management.
2. Thinking system hardening is not part of operation management.
3. Failing to understand the responsibilities as a custodian.
4. Failing to understand the importance of segregation of responsibilities
5. Thinking access control is the job of technology.
In short any kind of compromise is going to impact the uptime ie Availability of the systems.
I have been practicing information security for quiet good time and from my experience I could say the major challenge I have to come across is the mindset of people (seniors leaders, managers, admins & end users). Now we understand that how import is the human factor the next question would be how to mitigate this risk?
Answer is:
- Security professional needs to educate business leaders.
- Business leaders needs to understand they are accountable and need to provide desired commitment.
- Consistent Security Awareness Training for entire organization.
- Development of security policies.
- Establishing internal Audits.
- Based on industry type get compliant with regulations like ISO, PCI, HIPPA, etc, the regulation doesn't guarantee 100% security but help provide sufficient assurance of being secured and avoid any legal suits.
- Along with quality of work, develop a corporate wide culture to integrate information security as part of everyone's day to day job.
Comments
Post a Comment