The IT security team need to understand their tasks and why they are important for the business. Traditionally, IT professionals, and especially IT security experts, pay insufficient attention to this dimension of their work.
Here are some of the measures to increase the understanding of the need of IT security throughout the organisation.
Avoid Doomsday Telling and Collecting News: Only what it is detected is real.
Organisations do not welcome risk visionaries. It is not wise to permanently raise the alarm in the organisation. The IT security team need to refrain from using the “cry wolf” approach in the form of informing about every potential risk that could happen. Whenever they need to report about a real risk, accompany the factual description of the risk with two proposals for a solution, a short-term patch and a long-term set of security measures.
IT security needs to base their risk-related advice only on real events. A way to achieve this is to maintain a constant flow of security news into the organisation: Security incidents happening to similar organisations, new vulnerabilities and new threats appearing on a daily basis on reputable media.
Annual trends, data breaches and top risks reports from industry players such as telecommunications providers, government agencies and security-related organisations are excellent sources of information. Sharing this IT security news with the organisation stakeholders in an attractive format to entice them to read it regularly.
The knowledge that the team get from these security events feeds their risk assessment process. They can create a list of threats, vulnerabilities and mitigating measures out of those security incidents. This list could start modestly, but it will soon be the team’s threat, vulnerability and measures database. This database will offer the security team a consistent way of assessing risks. The team need to maintain this risk-related database updated and re-visit it frequently. This way, their risk assessments will be founded on real life events. This is fundamental to justify their security advice.
It is recommendable to complement that collection of IT security news with the follow-up measures that affected organisations implemented to recover from the incident and to prevent new occurrences. This type of information is usually more difficult to gather. We propose to make use of industry publications, contacts in the industry and public resources such as Internet (especially trustworthy sites).
Security incidents happening to the organisation are also a very valid source of information. Real-time monitoring should be part of the daily IT security activities.
It will enable the team to document the real threats that they detect. Only those real threats will justify budget for security measures. The ultimate goal of the team is to protect the organisation from those detected threats.
Creating an IT security incident response team within the IT security team is a best idea, based on clearly cut, swift and effective procedures. They will be the cornerstone to investigate and reply to security incidents while being a silent but impressive marketing tool within the organisation on why they need an IT security team for their business.
Whenever an IT security incident will happen, they will be ready to cope with it with a pre-tested plan.
The security incident scenario is in constant change. However, there is a permanent element in all of them: Intention. There is an agent (the threat) performing an action (taking the chance of a vulnerability) with a specific purpose. Unintentional events can also cause IT security incidents. However, with the lack of an intended purpose, they can be mitigated more easily.