There is a certain level of discrepancy in knowledge between the managers and technical experts. They both have their own work tasks that require expert knowledge in other areas, but often times they fail to hand over necessary information in a form beneficial and suitable for the tasks they are responsible for. It is quite common that a technical expert is unable to present information in a clearly understandable form while the manager often times does not know, which information is relevant for his or her decision making and which information shouldl he or she ask for.
Correct information is the crucial variable in the area of IT security, hence we shall pay more attention to such information. Since the main task of IT security is to ensure secure operation of systems necessary for operation of the organisation, it is inevitable to ask how much this department really contributes to IT security. Considering the facts mentioned above, I consider the following questions to be of key importance.
(1) What basic corporate functions shall be secured?
First, it is advisable to clearly define what shall be protected, what do we need for operation of the company and what obligations are imposed by the legislation. There has to be a clear list of priorities that must be mirrored in efforts dedicated to individual areas.
(2) What are the risks/ costs of IT security?
Once we know what needs to be protected, we also ought to know what will happen if the protection fails. Provided we have conducted the risk analysis we can take a qualified decision while respecting the financial costs involved. Without the risk analysis, it´s just a shot into the darkness. This analysis shall also form the basis for justification of budget requirements.
(3) What is our current status?
We shall be aware of the current status of our infrastructure. It is always an attempt to achieve an ideal status, however there is no such thing as an ideal infrastructure status.
(4) What shall be addressed first?
Having mapped the current status, we can identify shortcomings according to their severity. If we focus on the weakest points, the effect will be far stronger. One can compile a list of priority issues following defined criteria.
(5) How to assess success of measures adopted?
Once we answer all of the aforementioned questions, we shall have a clear idea about what, why and when shall we address. In order to be able to assess the efficiency of measures adopted one needs to know how such measures will be tested. If the tests are successful, we can move to issues with lower priorities.
“One important fact by way of conclusion. Do not underestimate IT security training of employees working with your data. Social engineering is the most common point of failure hence a thoroughly educated user is the best firewall of all.”
Authors: Martin Půlpán, CEO a Lukáš Mužík, System Engineer