You wouldn’t buy a car and then give it to a monkey to look after so why spend all this money on amazing security technology just to have some Johnny big balls look after it without really knowing how.
It is the person behind the machine that makes decisions on risk, not the machine itself. If you can programme the machine to respond quicker in a repeatable and defensible way, fab, but it is the human mind behind the decision making, we decide on the threats and response.
So, what does this mean? It means, organisations must proactively decide whether employees, third parties, outsource parties, vendors, insurers and consultants are on their side and don’t have an ulterior motive. Equally, that the person you pay to manage your cyber security isn’t some ‘sell you the dream but I don’t really know the ins and outs type of person.’
Staff that are good at budgeting, planning and managing operations don’t usually operate well in a crisis when decisions must be made quickly. Employees and third parties that have stretched the trust to gain their job in the first place, usually fail to perform at the first sign of crisis and many of those chosen to ‘protect’ a business treat it more as an ‘opportunity’. When faced with a crisis they either choose to elevate the seriousness of the incident or as a justification to sell more technology.
Security people care about one thing, minimising impact and likelihood of risk and exist to ‘serve’ the board – choose your team wisely
It’s all about trust.