Summary

Building real security is not an easy task. It is a continuous process that is made up of much more than equipment and policies. Real security is much like a living, breathing organism. Just like a living organism, security requires care and maintenance; otherwise, its useful value will diminish over time. Senior management plays a big part in this process. They have inherited this leading role because real security is possible only when senior management demands it. Many organizations don’t take security seriously and simply reject risk. This foolish attitude is based on the hope that it just won’t happen to them. Fortunately, many other organizations do take security seriously—some so much so that they have developed gold standards. These gold standards go far above and beyond what could be seen as a minimum standard and actually set a benchmark for others to strive for.

No matter where your company resides along the security continuum, there is always room for improvement. One of the best ways to improve security is to build it in to every aspect of the organization, assess risk when new ventures or processes are considered, and perform periodic vulnerability assessments to benchmark where the organization really falls between written policy and actual practice. These goals are made easier because there is a multitude of written documentation to help us meet this challenge. These include ISO 17799, COBIT, and NIST documents. Just remember that change usually doesn’t happen in a vacuum. Make sure you know what the catalyst for change is in your organization. It may be because of a need to demonstrate due diligence, to comply with state, provincial, or federal laws, or because of a breach in security.