It is well known that humans are the weakest link in the information security chain, but specifically, who are them? Well, you may guess, “they” are everyone. I have been in both sides, as a user and as a system admin; and in both sceneries humans tend to make mistakes. It’s human nature.
I don’t want to justify that human trait. I just want to create some kind of awareness. Specifically, companies should consider invest in security education trainings and awareness programs directed to their Information Technology personnel. They are clever at securing the information technology assets of an organization. A single unchecked checkbox in the configuration of a firewall rule or security policy, is enough for a cybercriminal to penetrate the corporate perimeter and compromise the entire network infrastructure without any trace. Furthermore, causing a security breach that in turn would potentially cause a massive data leak. You may be familiar with the severe regulatory and business consequences of these type of security events. Definitely this technical staff will appreciate the company investment in their continuous professional and educational development.
What am I proposing? Well, more than demanding compliance with information security policies from staff, companies need to keep them with the most up-dated training and knowledge about the latest cyber threats, and vendor specific and technology trainings. Likewise, IT staff need to have the kind of sense that their work is contributing successfully to accomplish the organization’s objectives, goals and profits by being compensated with market rate salaries. Providing staff with the necessary tools, knowledge and motivation, will let them know their value within the company, as well as the importance of their jobs. This will also help companies to attract and retain the best talents.
Technical trainings and awareness should be directed to multiples areas such as secure development, system hardening, security controls effectiveness, vulnerability assessment, patch management, IT asset management (software & hardware), and IT staff recruitment, just to mention a few. Likewise, management should consider mid to long term professional development plans, that may allow them being certified among various paths like CEH, CISM, CISSP, MSCE, Security+, and ITIL, among many others. This should strengthen the staff with the latest technological and security knowledge. Also, this would help them to develop and/or maintain a more mature security posture. Not to mention that they would be intrinsically better motivated.
Companies investing in developing their internal IT staff should consider this a win-win scenario, where better prepared, compensated, and motivated staff, presented more engaged and loyal employees. Even though that this will not necessarily be always the case, it is worth the try. It will cost much less that being hacked.
Remember, most of the time, hackers are organized, better prepared than some industries, and highly motivated. Internal IT staff should be ahead of them.
Author: Gilberto Crespo, MSCE, CDIA+, CIP, ITILv3
Computer Engineer & Technology Blogger
What am I proposing? Well, more than demanding compliance with information security policies from staff, companies need to keep them with the most up-dated training and knowledge about the latest cyber threats, and vendor specific and technology trainings. Likewise, IT staff need to have the kind of sense that their work is contributing successfully to accomplish the organization’s objectives, goals and profits by being compensated with market rate salaries. Providing staff with the necessary tools, knowledge and motivation, will let them know their value within the company, as well as the importance of their jobs. This will also help companies to attract and retain the best talents.
Technical trainings and awareness should be directed to multiples areas such as secure development, system hardening, security controls effectiveness, vulnerability assessment, patch management, IT asset management (software & hardware), and IT staff recruitment, just to mention a few. Likewise, management should consider mid to long term professional development plans, that may allow them being certified among various paths like CEH, CISM, CISSP, MSCE, Security+, and ITIL, among many others. This should strengthen the staff with the latest technological and security knowledge. Also, this would help them to develop and/or maintain a more mature security posture. Not to mention that they would be intrinsically better motivated.
Companies investing in developing their internal IT staff should consider this a win-win scenario, where better prepared, compensated, and motivated staff, presented more engaged and loyal employees. Even though that this will not necessarily be always the case, it is worth the try. It will cost much less that being hacked.
Remember, most of the time, hackers are organized, better prepared than some industries, and highly motivated. Internal IT staff should be ahead of them.
Author: Gilberto Crespo, MSCE, CDIA+, CIP, ITILv3
Computer Engineer & Technology Blogger
