One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 411410 |
| Date de publication | 2017-09-25 15:51:23 (vue: 2017-09-25 15:51:23) |
| Titre | NBlog September 24 - five-step bulletproofing? |
| Texte | In the course of searching for case study materials and quotations to illustrate October's awareness materials, I came across 5 ways to create a bulletproof security culture by Brian Stafford. Brian's 5 ways are, roughly: Get Back to Basics - address human behaviors including errors. Fair enough. The NoticeBored InfoSec 101 awareness module we updated last month is precisely for a back-to-basics approach, including fundamental concepts, attitudes and behaviors.Reinvent the Org Chart - have the CISO report to the CEO. Brian doesn't explain why but it's pretty obvious, especially if you accept that the organization's culture is like a cloak that covers everyone, and strong leadership is the primary way of influencing it. The reporting relationship is only part of the issue though: proper governance is a bigger consideration, for example aligning the management of information risks and assets with that for other kinds of risk and asset. Also security metrics - a gaping hole in the governance of most organizations.Invest in Education - "Any company that seeks to have a strong security culture must not only offer robust trainings to all employees-including the c-suite-but also encourage professional development opportunities tailored to their unique focus areas." Awareness, training and education go hand-in-hand: they are complementary.Incentivize & Reward Wanted Behavior e.g. by career advancement options. Again, the InfoSec 101 module proposes a structured gold-silver-bronze approach to rewards and incentives, and I've discussed the idea here on the blog several times. Compliance reinforcement through rewards and encouragement is far more positive and motivational than the negative compliance enforcement approach through pressure, penalties and grief. Penalties may still be necessary but as a last resort than the default option.Apply the Right Technology - hmm, an important consideration, for sure, although I'm not sure what this has to do with security culture. I guess I would say that technical controls need to work in concert with non-tech controls, and the selection, operation, use and management of all kinds of control is itself largely a human activity. The fact that Brian included this as one of his 5 ways betrays the widespread bias towards technology and cybersecurity. I'd go so far as to call it myopic. Personally, and despite |
| Envoyé | Oui |
| Condensat | 101 accept across 5 activity address advancement again aligning all alone also although any apply approach are area areas asset assets attitudes awareness back basics behavior behaviors being betrays bias bigger blog brian bronze bulletproof bulletproofing bullets: but call came career case ceo characteristic chart ciso cloak company complementary compliance concepts concert consequences consideration considered control controls could course covers create culture culture by cybersecurity default deflect despite development discussed doesn education efforts employees encourage encouragement enforcement enough errors especially even ever everyone example explain fact fair far five focus fundamental gaping gold governance grief guess hand hand: handle happens has have here his hmm hole human idea illustrate imply important important part incentives incentivize incidents included including influencing information infosec invest issue itself kinds knowing largely last leadership like management materials may metrics module month more most motivational must myopic nblog necessary need negative non not noticebored obvious october offer one only operation opportunities option options org organization organizations other part penalties personally positive precisely pressure pretty primary privacy professional proper proposes purely quotations ready reinforcement reinvent relationship relevant reluctant report reporting resort reward rewards rhetorical right risk risks robust roughly: get say searching security seeks selection sense september set several silver stafford state step strong structured study suite sure tailored tech technical technology than things though: through times towards training trainings unique updated use very wanted way ways what why widespread willing won work would |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.