There are so many angles to an information security program it’s not going to be covered in one small, potentially ranting, blog post. But I’m going to jump off target before I even get on target. We see programs and policies that appear to have been written by a prison warden, locking out business functionality and we see some that are so ambiguous it’s hard to tell if it’s a program at all. If you go to the trouble and investment to create an information security program make it work!
Alright, back to the question, who needs it? Every company? Depends on size? Depends on what they do? What do you think? If you’re one guy that buys stuff at a garage sale and then resells it on eBay most likely you don’t need one. But what about a small ecommerce business with 10 employees? I make this a point because recently that’s a real conversation I had with a small and growing company about when or if they even need one. My question to them was, “How critical is it that your site and network stay up?” Kind of a rhetorical question to an ecommerce based organization. But it’s a gamble, they don’t feel they have the resources to create one of value (again, see the first paragraph).
All too often the focus is on increasing revenue, business functionality, brand reputation, etc. There’s also a focus of network up-time, I believe that’s because almost everyone has experienced some level of interruption to productivity. However, fewer people have personally been affected by a breach. I’m not talking about a person level of identity theft; I’m talking about a company breach. Though as I talked about in the last post roughly 85% of all breaches recorded happened to companies with fewer than 100 employees. Although security, or a breach, may affect productivity it’s more likely to be worse, causing brand degradation, loss of client trust, penalties or even death of a company.
The above paragraph sounds like FUD (I hate FUD), but the message is about driving home the need to do something proactive security wise. One of the best ways is to have an information security program and include or follow that up with an incident response plan.