Dear Colleagues,

Recent breaches of security and confidentiality serve as good examples of why information security is never about one particular tool. There are no silver bullets, but there might be a few lone rangers!

A proper control framework needs to be in place and functioning normally which also requires regular auditing and testing with a feedback loops into the continuous improvement process.

The control framework is based on a top down approach, statutory/regulatory obligations, organizational policy, standard operating procedures, and security standards. Clearly written and concise goals and objectives need to be developed to help keep each process focused and on scope.

The control framework also needs to be taught to employees, regularly communicated, and reinforced with internal/external examples of hits and misses including effective record keeping. Tools and automation play a role that reduces risk by removing humans from the process, but often overlap and integrate with human activities including failsafe mechanisms and breakpoints.

However all that said, social engineering continues to be the most significant threat as it maintains the potential to bypass the control framework and any tools. This leaves us in a state of constant assessment and mitigation and continuous improvement.


Sincerely,
Mark.