Command an Incredibly Realistic Approach to Security
Currently, one of the highest IT skillsets in demand is “Information Security”. Unfortunately, this is also among the most controversial regarding approaches to take. The IT Security Departments went through an extreme budget cut as part of post Y2K in the early 2000s. As an example, one Fortune 100 corporation cut all IT by 25% within 2 months. The focus shifted to the most sizable cuts to be in training and security. Even CSO (Chief Security Officer) positions were being eliminated.
When the viruses began to take significant notice in 2003-2005, IT Security in the business world slowly began a return. That time, however, the old idea of the “fear factor” was now known not to be tolerated. That time period is considered “IT Security Gen 2”. The need for a logical and business security approach was key for IT Security survival. Then, although awkward at times, it evolved into now including a “likelihood” factor to be included in explaining security risks.
Currently, there are sometimes local IT security forces who are attempting to override the likelihood factor by focusing more intensity on the “potential loss and damage” for a security scenario. In other words, the tendency has been returning to the “fear factor” thought process. So, in management of today’s IT Information Security, there is a need for improving on the following areas:
- IT Infosec staff’s EQ (Emotional Quotient), aka Emotional Intelligence.
- Using risk activity trends and forecasting (nationally, globally, and by industry)
- Return with emphasis towards likelihoods of a risk scenario.
- Implementation and Maintenance Costing of current and recommended changes to security.
With that said, here is an overall list of aspects to consider as an approach to security in current times.
- Follow NIST Standards as a Guide. One size doesn’t fit all industries or organizations. Your security approach must work with your Operation, Resources, and Customers.
- Be Open to Current, Developing Approaches.
- “The Fear Factor” is old school from the 90s; it failed. Think reality with “Applied Security” that can be reasonably implemented and maintained in the future with affordable resources.
- Acquire a 2nd Opinion or Summary Review before Major Implementation Changes take place, if time permits.
- Embrace approaches using Risk Management skills involving estimated likelihoods of occurrence.
- Use security people who are interested in working with your business or organization for improvements. That can be more important than their highest security certifications.
- Implement security operations, procedures, & policies that can be maintained not just for the budget you had when they’re implemented. Your security systems and methods must be adjustable during times of reduced budgets. Don’t make it such an administrative, systems, and approval-based layers nightmare that you have to expend sizable resources to reduce it down later.
- Security Training is important; the individual is the weakest link. Use a 9-month recurring training approach instead of annual 12-month training for staff. Have “Refresher Training” for those who experience additional security issues or concerns.
- Significant Security Changes typically impact a workforce’s culture and may create an emotional resistance, including from management. Having some employees getting onboard in advance will help. There must also be senior management support in advance. So, appropriate approaches to address an upcoming big change could involve: 1) down-to-earth simple lay language to explain the need for the change, 2) the resources expended, 3) the benefits to be experienced, and 4) the logic and business decisions that decided the type of changes.
- Use the earlier listed items that are potentially needing improvements in the IT Security area.
- View some of our services that apply in the Information Security arena.
Internet Security THREAT MAPS
Here are some current Internet Security Threat Maps. Each has its own different sources of detection, layouts, and available threat types. For example, some focus on Denial-of-Service attacks and some on SPAM attacks. Some are realtime and some are delayed data “playback”. If one doesn’t say “realtime”, it doesn’t necessarily mean it’s not. Some load quicker than others but the slower ones were not included in this list. Some are more intuitive than others. Each will open in a new window (as denoted by the 3 dots …)