Main Discussion Points:
- Most organizations have policies but how to you ensure they are enforced and not just on paper
- Important to understand the cost of security and of not being secure/caring about it
- Physical device security is also important and it is not just about malware
- Executive acceptance and leadership by example is necessary for success
- Training and resources often not sufficient
Attendees: 12 (ITPro-5, Dev-5, Mixed-2)
- Security Seriousness:
- 80% have a policy, but very few enforce or have knowledge of the details
- larger companies tend to have a better process in place but still many loop holes not covered
- smaller companies tend to have one/two people holding the keys, but security level is based on their knowledge
- for smaller companies it is better to offload portions to SP to support and secure their IT infrastructure.
- Cost of Implementing Security vs Not Implementing Security
- Might be expensive to implement a security policy but far more expensive if it isn't implemented.
- Directors can be held legally responsible, financially and possible jail time
- Many industries especially financial and personal identity industries have security guidelines that are strictly enforced and monitored
- Lack of Resources to implement & train on best practices
- Security Tools:
- Baseline Security Monitor,
- too many possible areas and separate tools required to monitor and prevent breaches
- Most security infractions happen inside the organization and they tend to be costlier
- Internal security breaches are also harder to protect from
- Rapid Change Management
- this area changes as fast as the technologies you are using and the technologies that can breach your security (hackers)
Participants talked about physical security. Securing their sites against rogue USB keys.
They also talked about creating effective security policies, and how to implement them both technology wise, and process wise. A big issue was getting backing from management on security policy – so finding the balance between what is convenient versus what is secure.
We also talked about issues around complying with regulatory concerns. One person said they often told people that a particular security policy was in place to comply with a regulatory policy even when it wasn’t.