What is your organization’s approach to security events? For many organizations, each security alarm is treated with the same urgency as a fire. While a sense of urgency is good, the ensuing panic that occurs is not a recipe for longevity. The constant shifting of attention from one emergency to the next is fatiguing; it can often lead to mistakes that compound an event.

The “all hands on deck” approach is similar to an ineffective method of weeding a garden. If you have a team of gardeners who are dedicated to pulling up sprouting weeds, they will forever be chasing weed sprouts rather than attacking the main root, known as the taproot. Fortunately, there is a better way to handle security. 

Attacking the taproot is not only more effective but also more cost effective. That sounds good, but it does not address a reliable approach to IT security. It has somewhat of a “boil the ocean” ring to it. What is needed is a more measured approach to a security program. In the accounting profession, personnel rely on a methodology known as Generally Accepted Accounting Principles (or GAAP). One of the purposes of GAAP is to protect an accounting organization from liability if something goes wrong. That is, and organization is less likely to be sued for negligence if it can be shown that the industry-recognized best practices were being followed.

But we do have the CIS Controls

Unfortunately, there isn’t really a generally accepted set of IT security principles. How can organizations protect against lawsuits in the event of a security breach? One method that has advanced and matured over the years is to use the controls that are offered through the Center for Internet Security (collectively known as the CIS Controls). 

Formerly a list of (Read more...)