Information and data breaches have become more well known and even discussed in the general public because of the way breaches effect the common person. The celebrity that surrounds these cases cause much more than financial damage for corporations affected but also bad PR, employee retention issues and sometimes legal ramifications.
Historically it has been up to the IT team to solely focus on IT security, but today it takes more than just one department to be the carrier of this message.As noted in the ISACA article, Performing a Security Risk Assessment, taking the old approach of just reliance upon IT has it's risks.
"Classically, IT security risk has been seen as the responsibility of the IT or network staff, as those individuals have the best understanding of the components of the control infrastructure. Moreover, security risk assessments have typically been performed within the IT department with little or no input from others.
This approach has limitations. As systems have become more complex, integrated and connected to third parties, the security and controls budget quickly reaches its limitations. Therefore, to ensure best use of the available resources, IT should understand the relative significance of different sets of systems, applications, data, storage and communication mechanisms. To meet such requirements, organizations should perform security risk assessments that employ the enterprise risk assessment approach and include all stakeholders to ensure that all aspects of the IT organization are addressed, including hardware and software, employee awareness training, and business processes."
To create a security posture that is holistic throughout the company, the key points below are imperative to the success.
1) Identify: find key stakeholders company wide to determine what the risks, sensitive data and entry points could be
2) Assess: determine where gaps and threats are in those environments
3) Take action: find the no cost remediation steps that can be completed asap
4) Research: determine what the platform is missing and where it is missing from (i.e. guess wireless threats, IoT concerns)
The iQSG Security team can help determine steps 1-4 for teams unsure where to begin. Contact a security architect below: