The concept of knowledge management is an alien one within the majority of organisations, however harnessing the experience of employees is the essence of all business and why we pay, sometimes extortionate amounts of money, for certain key individuals, writes Craig Goodwin, CISSP, head of security services at Optimum-MBA.
How many organisations rely on a single individual to maintain 80% of their IT infrastructure, completely unaware that it would be next to impossible to find someone with that specific knowledge and skill set should that person seek greener pastures elsewhere?
This valuable resource must be harnessed, recorded and utilised so that it can be called upon regardless of individual post holders. For security, a function which is highly interdependent on its interaction with other business functions, tracking and storing the specific knowledge behind what makes the operation effective, can pay long-term dividends.
Immature security functions have a tendency to be reactionary, through no fault of their own. With a lack of defined policies or processes to turn to, individuals find themselves constantly dealing with security incidents, be it network intrusion, e-mail misuse or loss of confidential information. They call upon their own expertise to do this, unable or sometimes refusing to call upon previous solutions, certain that they will make a larger impact within the organisation if they do it themselves.
In these circumstances, reactionary controls are the necessary solution - another firewall there, more internet blocking here and, in the short term, the problem is solved. In the longer term, reactionary controls become a burden on both manpower and budget, the purpose of them is not recorded, baselines are not documented and the utilisation of them over the longer term business infrastructure is limited.
Policies, processes and standards
Investment of time and money in a clearly defined, well structured and well integrated set of policies, processes and standards that reflect the best practices known - both generally and from an organisation's specific experience - will ensure that technological measures such as firewalls, anti-virus software, routers and intrusion detection systems are deployed effectively and consistently, while the knowledge behind them is disseminated across the organisation.
A truly holistic approach to security will be achieved through the integration of the organisation's business functions and processes, so the process should gather together those elusive IT guys, unique HR individuals and address security issues with integrated and logical thought processes before money and technology are thrown at the problem.
Review existing controls
In the current economic climate, the process can begin with a review of the utilisation of existing controls to ensure you are making the best use of everything that you have in place. The effort should document baseline technical standards for each barrier. A set of policies should emerge based upon best-practice standards and possible areas of improvement.
While alleviating the operational burden, and saving costs, the foundations are set to ensure that all standards, processes and procedures - the organisation's knowledge - are documented and maintained.
I encourage all to take a condor moment. Breathe, step back and take a holistic look at what is already in place. Document everything, educate everyone and start utilising and controlling our most precious commodities, people and knowledge, to provide the levels of security we all strive for.
Read more expert advice from the Computer Weekly Security Think Tank >>
Read more on IT risk management
Mergers and acquisitions: Bringing together separate IT departments
Escaping waterfall government and the myth of 'digital transformation'
GUEST BLOG: Why Apprenticeships offer a lifeline to the UK’s tech industry
Security Think Tank: Guidelines for improving the effectiveness of IT security recruitment