Securing the Corporation

Ask most data security professionals how to secure the assets of a company: They will talk about operational security. They will discuss firewalls; intrusion prevention and the like. They wrongly focus on the loss of data and other operational security matters. Yet, they will also tell you that they can never be 100% security. At the same time, they nearly always fail to also discuss the biggest risk for a corporation...and that is often the legal aftermath of a data loss. The legal entanglements will often result in far more financial loss than the actual damages, especially a loss of data. I think this is a holdover from physical security when the actual loss was often the majority of the material damages. This is simply not the case in today's world of data loss. So, how do you protect against this?

I like to distinguish operational security from organizational security. Securing a corporation requires both operational security and organizational security. At the minimum, organizational security is comprised of: i) Some kind of oversight or governance; ii) A formal security plan; and, iii) Progress against than plan. While the devil is indeed in the details, these three elements typically protect a corporation from its greatest risk. Moreover, it can be implemented often within 30 to 60 days. I often call it the fast track to compliance. With an active oversight program, companies can actually extend their remediation efforts and be more systematic and therefore economical in deploying their operational security.

I strongly advocate organizational and operational security programs as joint initiatives.