The most important thing of all when it comes to our company networks and data is to be in control. This is also the most difficult objective to accomplish. In fact, just defining what we mean by “control” is hard enough although I’ll have a go by saying I believe that we are in a good state of control when there are consistent processes being consistently followed throughout the organisation.
But to what lengths do we need to go to in order to accomplish this? I recall the processes followed at one business I visited in India. No employee could take into the building any personal items apart from the clothes they were wearing. Desktops were locked down to the nth degree. No Internet connectivity. All activities were closely monitored and audit logs continually checked. That’s all fair and good but it’s not exactly an environment condusive to innovation. But then again it wasn’t meant to be.
Take the organisation I work for now. It encourages innovation, wants individuals to have ideas and research new ways of doing things. To facilitate that we have to open up to the outside world and provide opportunities to experiment with all matter of new resources and technologies. If there’s one challenge above all others in my job, it’s trying to define where the balance is between retaining control and letting go whilst still adequately mitigating risks.
The level of risk acceptance will vary from business to business and is dependant upon all measure of variables: value of the data, attitude to risk, regulatory environment and so on. If, for example, your business has an online growth strategy then you, as security officer, had better be prepared to support it and find ways to enable it to happen through your presently over-restrictive policy.