It has been 25 years since I started helping organisations to manage their IT risks, and therewith to help these organizations to protect both their own as well as their customer’s data. Now, as I regularly receive requests to share some of my ideas, it feels like time to start a blog. And the time feels right, considering that data breaches, privacy issues and security threats in general are almost daily in the news, and become relevant to everyone.
It is time to consider security as a topic that is relevant for all people, both in business and in private life, with as a minimum the role we all have as end-users, and that is to consciously maintain security awareness and act accordingly, remembering not to click at email links, patch applications timely, protect your devices, and of course keep your passwords confidential.
Protecting data and systems feels like protecting ourselves against bad weather conditions. The attack surface for data and systems often is (un)predictable, just like the weather. And also we have to be aware of climate change with regard to security, just like long term changes in weather conditions. Already, we can see a more extreme security climate arriving. During my 25 years in the field of security and risk management, it did not become easier to stay dry.
Being aware of climate change, organisations have a need to focus more of their time and effort on protection of their assets. And whilst doing so, they should understand the values that they need to protect, being aware of the value of their assets from both their own perspective and the perspective of (potential) attackers.
In the past, we saw organisations implementing good practises, and there was a sense that such was good, and also good enough. Now, we understand that good practises (e.g. Code of Practise for Information Security) are useful, but insufficiently cover measures to be taken in a more extreme climate. Consider for instance spear phishing, hacks of cars and planes, fraudulent transactions, and destruction of services, data, and systems.
Organizations should not just focus on preventive security measures, but also increase their efforts to timely detect attacks, and to swiftly respond to these attacks.
In the end, organisations have to understand their business and IT risks, and they have to manage these risks using adequate protective measures. Coming blogs will cover all kinds of related topics, such as audit, risk management, compliance and monitoring, control frameworks, and cyber defense, that operate in coherence, to protect organisations against IT risks.
More to follow!