I was recently asked to participate in a group interview sponsored by Digital Guardian (a vendor of information technology security solutions) that centred on a simple question: “What’s the #1 biggest mistake companies make when it comes to securing sensitive data?”
One of the biggest challenges I had with this task is that it’s really difficult to narrow it down to a single mistake; unfortunately organizations make far too many mistakes (as the articles about data loss and breaches of privacy in the business pages of the newspapers can attest). But after pondering the question for a while I arrived at an answer that I really liked. Surprisingly, it’s not a technology issue.
When it comes to securing sensitive data the biggest mistake companies make is that they minimize or ignore the human dimension of security. There is a cultural aspect to security that must become part of the DNA of the organization; all too often they fail to make the essential investments to make it happen.
Organizations are willing to spend a lot of money developing the necessary standards, guidelines and procedures required by a comprehensive security program, and they are willing to spend even more on the technology required. Where organizations tend to drop the ball is the human element; staff needs to be acutely aware of the security policies, trained in the proper application of the policies and understand (and accept) their personal responsibilities and accountabilities. There needs to be a training regimen for both new and existing staff, as well as periodic refreshers. Security responsibilities should be built into their role descriptions and their personal objectives.
It’s also necessary that security be deployed in a manner that will allow staff to fulfill the responsibilities of their job while fully complying with the requirements of the program. The information security program cannot be a roadblock; its application must be proportional to the risks identified and it must support (and not inhibit) the ability of the organization and (and its staff) to conduct its business.
And a second mistake: Organizations implement a security program and think they’re done. They’re not. Security programs need to continuously adapt to in order to meet new threats and environmental changes. The security landscape is ever evolving, both on the side of threats and on the side of regulators; organizations need to ensure that their security programs change in response.
Care to see the other 33 opinions? You can find them on the Digital Guardians blog.