I just finished reading a pretty decent CIO Insight article (with lots of research links) on the state of IT Security at a Corporate level. It ends with the following comment that I wholeheartedly agree with:
For IT security to work, companies must train and motivate personnel to consistently avoid risky behavior, build strong technical defenses that are quick to adapt to new threats, and ensure clear management support for both. What’s worrisome is that too many companies aren’t good at all three.
New tools are definitely part of the solution, because trying to keep up manually is futile. However, new tools must be accompanied by support for processes, people and training for those people (whether they are in IT or elsewhere in the business).
Information Security is not an IT-only problem in the same way that health is not a Doctor-only problem. The parallels between InfoSec and Healthcare don’t just stop there. As with good health, the more that everyone knows about good information security practices, the better off the overall security level of the general population, because each of us is impacted by the security hygiene of everyone else who can connect to us in any way.
Each day, the types and intensity of the security threats we face is increasing, and we have to be ever-vigilant to combat them and mitigate their risks. Security is not an eternal state of being, unless you’ve managed to get yourself into a place where everything continues to be exactly the same as it was yesterday.