The timeliness aspect comes in light of a lot of recent articles and commentary around breaches, social engineering attacks and announced vulnerabilities. It should be no surprise that we are seeing an increase in articles on this with DefCon in Vegas this past weekend, and the events that lead up to it, but I think we are also seeing the recognition of a true problem even from outside of the technical community.
As I read some of the articles that come out I see a consistent theme - little opportunities that are missed that either created the gap that was taken advantage of or created a gap that made the initial event so much worse. One of the best pieces I have read that begins to address some of the issues with actionable ideas was a piece written by Jeffrey Carr on Shady Rat. In this piece he identifies a four step process that starts to address the "gap that made the initial event worse". This type of direct action taken conjunction with development or revisiting of a broader plan is what is needed for organizations big and small. (For those small organizations that think this is a non-issue take a look at the Anonymous hack at rural sheriff offices and that is the new stuff - the older stuff would really scare you)
What is that broader plan? I wrote on some of this a few weeks back and I still contend that it is bigger than this or any blog is, but there are some basics. I hate simple graphics as they can be so empty but I think in this case if we go beyond simple we are writing a book - so here goes:
For most organizations 5 simple areas are what is needed to be looked at. I was going to do the loop-back diagrams but being a car guy I like gears better and it gets the point across. The point is that all five elements need to work together. The four outer gears, although smaller, are as important to get right as the overall strategy. All these working together is what drives the organizations business purpose. Mess with one gear or implement it poorly and the overall plan suffers. As I mentioned a few weeks back, ignoring the surprises, or not being prepared to respond to the unknowns will also cost dearly.
I think that most companies will say that they have these basic elements in their plans but based on what is happening in in the real world we are seeing that either they are not well implemented or not being effectively updated and monitored. A plan is only as good as it's execution. So take a look at your plans, update them as needed and have in place a regular review - and that does not mean every 5 years. In today's world it should, at least, be part of your quarterly reviews.
- Posted using BlogPress from my iPad
No comments:
Post a Comment