Securing the organization , where is the weakest Link? Management
The Crac des Chevaliers, Syria is an excellent example of medieval fortification during the Crusader wars and is an excellent representative of the fusion of European and Asian approaches to security.
We are in a similar situation when we look at the cyber wars and the threats we face today, we need to house or organization in a secure environment, where no one can get in and even if they did they should not be able to leave our fortress with our data and other valuable digital assets.
There as similar forts in other parts of the world too including in India like Daulatabad in Aurangabad, Sriringapatnam near Mysore, the Agra Fort to name a few.
All these forts were never conquered by assaulting the fort or in battle all these forts fell to the invading army by treachery.
Many of our information security jargon are derived for the protection used by the old forts the more popular being firewall, demilitarized zone, demarcation of zones, access rights , passwords, two factor authentication, honeypots.
As we glean through history we will find that the weakest link has been the trusted people who aligned with the enemy either willingly or by social engineering with the enemy.
The same applies for our organizational security today; we can bring in the best security solutions but managing them and keeping the organization secure rests squarely on its people.
The CISO and his team alone cannot secure the organization; security is everyone’s business in the organization. We come across organizations where the security policies do not apply to the CEO and Senior Management, there cannot be a more blatant approach to security. Secure the Board and Executive first from cyber attacks they are the most vulnerable, securing the troops who have access to less knowledge is normally taken as the priority. The rules should be same to all since all employees are vulnerable.
Many organizations shun automated tools because they believe it does not work for them, these organizations compromise their security posture. They need to use automated tools, which generate real time alerts and MIS reports on demand and on a given frequency, provide for an audit trial and also archival of incidents and transactional data.
Every person, every device, every I/O port in the network or device is all vulnerable, so is the data, you need to secure every digital artifact in the organization whether at rest or in motion.
Companies who believe a firewall, antivirus and a 16 digit password will secure their organization need to revisit their security architecture and build it again.