Cyber Security Should Be Expanded To Departments Other Than IT: CII-KPMG (www.bgr.in) 38
An anonymous reader shares a BGR report: Cyber threats today are no longer restricted to a company's communications and IT domains, calling for more than just technical controls to avert attacks and protect the business from future risks and breaches, a new report said. According to the joint report of the Confederation of Indian Industry (CII) and KPMG, cyber security today embraces multiple units of an organization like human resource, supply chain, administration and infrastructure. It, therefore, requires governance at the highest levels. "It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust," said Richard Rekhy, Chief Executive Officer, KPMG, India.
Yes and no (Score:4, Insightful)
Do I agree that other departments need training in security?
HELL THE FUCK YES! The nastiest hole in most security systems are the stupid meatbags being stupid on their computers.
Do I think that there should be SOME input back from these other departments too? Sure. But in a healthy organization, this is already the case.
Do I think that these departments should be given policy and decision making powers over security policy?
HELL THE FUCK NO! That's like putting a blind and deaf sheep that's considered stupid (even by sheep standards) in charge of a flock in an unfenced field in wolf country.
In short, while feedback is welcome, and good ideas are always welcome, managerial control isn't. Because it's not their job.
Re: Yes and no (Score:1)
I have had to walk across the faciity to read a user's email to them. The reason: "it said URL so it is too complicated." We expect users like this to comprehend security? I dont expect them to get past the first word. It had sec-something in it. It is too complicated.
Re: (Score:3)
It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust
Wow, buzzword bingo in a single quote. Where's Weird Al when you need him? Right here! [youtube.com]
This consultant must have been toning it down though. I would have a expected a "proven methodology" and "commitment to quality" in there somewhere, and maybe a "seamless integration" too.
Ignorance shouldn't be an excuse. (Score:4, Informative)
The biggest problem in IT Security, is all the decision (those people outside of IT) claim ignorance, as those IT guys just talk techno babble.
So when there is legitimate problems, they just ignore IT and tell them to fix it. Vs. trying to take some time to learn about the problem and see if there are other solutions than just a computer fix.
Re: (Score:2)
Re:Ignorance shouldn't be an excuse. (Score:4, Insightful)
Yes. You can employ all the latest technical tricks and safeguards and the HR assistant is still going to send a list of all of your social security numbers to a "hacker" due to a badly formatted email that purports to be from the CEO. The number of times that outside parties simply pretend to be someone else and demand sensitive data to be sent to them, and it *works* is absurdly high. This is because people aren't trained and more to the point, have not been told that security is not their responsibility nor their manager's.
I agree that the Information Security group (NOT the IT department, unless you're too small for an IS group) should be crafting policy and training, and they should accept feedback about their efforts from the other groups, but ultimately they should not be overruled on InfoSec rules by the other departments unless there is executive sign off *in writing* to exceptions.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
claim ignorance
Security is mostly / always at the cost of convenience, and often costs money budgets don't have (until it is too late).
I know that in our organization, security is always an afterthought, even though we in IT try to make it a priority. Decisions made by people who are ignorant are almost always wrong (broken clocks being right twice a day), because they are almost always based on convenience over security.
And when the inevitable security problems come up, they expect IT to fix them, without compromising al
Re: (Score:2)
Re:Technical solutions for social probs don't work (Score:4, Insightful)
We are all aware that technical solutions for social problems don't work. People will write down their passwords, because they have too many.
It's been shown that writing down your password is pretty much the safest thing you can do. If I can't write it down, I can guarantee my password is going to have to be something like puppydogN, and I'm going to use the same one on every single system because I can't memorize fifty different passwords and remember which one goes with which login.
What pisses me off most are the a$$holes in computer security who are now making me change my passwords to a new one every 90 days. Nobody has ever shown that this makes anything safer.
Great idea, but it will never happen. (Score:1)
Security is a process that you have to integrate in to every aspect of your business. It should be part of your training, planning, policy, business process, etc.
Trouble is, those that control the pocket books don't see it that way. They've been convinced that security is a service, or worse an appliance. It's a neat line-item that ticks a box and should be priced out to the lowest bidder.
To be fair, they see everything that way. Makes their jobs easy when leadership is a spreadsheet, a report, and a golf g
so more Shadow IT? or more we can do are own at lo (Score:2)
so more Shadow IT? or more we can do are own at lower cost (at the places that have IT bill other departments) and more PBH fights over stuff that they do not know that much about. I read in PBH magazine that we need to have X and I don't thing X.1 (just about the same thing) will cut it.
Necessary, but a waste of time. (Score:2)
Corporate cybersecurity must operate in such a way that it doesn't require the end users' cooperation, or it will fail. Sure, you can teach people best practices, how to spot phishing attacks, not to use the same password on every system they use; but as soon as you move beyond that, you've set yourself up for complete failure.
Re: (Score:2)
You need everyone's cooperation at some level. There is simply no way to prevent attacks unless you have everyone on the same page.
Yes, you might be able to track the HR assistant who sent the data and fire them, but too late for the company. You at least need to train them to the point that they,
a) Know the minimum that they have to do in order to protect their data,
b) Know that they can be fired for failing to protect that data.
You would not believe the number of people who make these sorts of mistakes
Re: (Score:2)
I mostly agree with you, but I think you might have missed my intent...
Why does a random HR employee have the ability to send an export of all employee data to an external address? Why would the CEO legitimately need to ask anyone to send them data (as in, the d
No (Score:1)
NO (Score:2)
they only figured this out now? (Score:2)
This has always been the case.
Unfortunately, most companies treat information security as an IT task instead of a company wide mindset.
In the push and pull of security vs. convenience IT generally loses.. but they *do* get to take the blame once things go wrong.