You buy a new gas grill. It’s a larger model than you have now, and you see the “some assembly required” warning on the box. No big deal. You looked in the box and made sure the assembly instructions were in the little plastic bag on top of the parts. Easy-peasy, right? You get home, pull the instructions out of the bag, and start putting the grill together. And then, everything goes south. First, the instructions are in five different languages on each page, making it an eye test to read. Next, the small parts included do not match the “parts” picture in the instructions. And then, after trying for an hour to figure out why “Tab A” will not come close to fitting into “Slot B,” you realize the instructions are either out of date or for some model other than the one identified on the box you bought. At this point, no one would think it unreasonable if you no longer much care about the grill and are ready to just throw all the pieces back in the box and return it all to the store. Supper will be leftovers from last Sunday.
How does this relate to security policy and procedures? Well, think about an employee faced with the priority task of configuring a network device. Are there policies and procedure in place? Is the employee aware of and have access to them? Are they appropriately updated for the current technology? Have they passed a review for accuracy and usability? If the answer is “no” to any of those questions the result may be an otherwise conscientious employee becoming frustrated and willing to just complete the task based on what they think is right. The device may function, but what about security issues such as default accounts and passwords, or inaccurate configuration settings resulting in avoidable security vulnerabilities? Without accurate and clearly defined requirements, procedures, and processes employees must guess at management’s expectations. Are you willing to accept security based on frustrated guessing?
Effective security controls for managing IT risks are based on a foundation of control ownership and control responsibility beginning with Executive Management and cascading down to business units and individuals.
Failing to implement and maintain effective security controls represents potential risks for:
- Stakeholder investment loss
- Reactive management decisions
- Corporate reputation damage
- Employee turnover / dissatisfaction
- Legal/regulatory non-compliance
- Ineffective / Inefficient solutions
- Customer migration
If you have any concerns about your organization’s IT security governance, including creating and maintaining appropriate controls, NorthState can help. It’s what we do. NorthState’s tested and proven methodology:
- Engages subject matter experts with the goal of:
- Inventorying and assessing existing controls
- Identifying ad hoc processes
- Mapping control gaps to appropriate industry best practices (e.g. CIS, ISO, HITRUST, NIST, etc.)
- Assessing adoption of current controls within the enterprise
- Capturing tactical challenges
- Documents findings and recommendations for management
- Provides follow-up to ensure success
NorthState’s unique advantage is the ability to provide experienced, skilled resources to assist any size organization with mature IT governance processes without reinvention, and with guaranteed results.
To speak directly with one of our cybersecurity experts, please leave the following information or contact us at firstname.lastname@example.org.