Читать книгу 8 Steps to Better Security - Kim Crawley - Страница 14

I asked business cybersecurity leaders about the biggest mistakes organizations make when it comes to cybersecurity. Their answers included trying to solve a problem by buying off-the-shelf software, keeping investment in cybersecurity to a minimum, and believing that having employees who are compliant means that the company is secure. Mitch Parker, the CISO of Indiana University Health, put together his “top 11” mistakes:

 Assuming that IT costs are sunk costs and that IT is capable of handling all issues with minimal effort or intervention.

 Not doing or ignoring a risk assessment.

 Not addressing or developing a risk management plan.

 Not developing good internal processes to assess and address risks.

 Under-resourcing information security initiatives either through lack of funding, team members, or both.

 Assuming that cyber insurance is an appropriate risk transference mechanism. As of 2021, when this was written, the major cyber insurance carriers are becoming more stringent with who they insure. They are denying higher-risk customers policies due to ransomware payouts causing significant financial losses.

 Leadership allowing their teams to bypass security controls and identified risks to facilitate the business, even if there is a high probability of a breach.

 Assuming that security events will never happen to them for any number of imagined reasons.

 Cutting security and IT costs out of projects to increase profitability on return-on-investment calculations.

 Leadership not supporting security and information risk management as a required business function.

 Overreliance on tools or services to address security needs based on inflated expectations and little analysis.

Even if you aren't a CISO, these are valuable tips for when you design your company's cybersecurity program. It's always best to learn from others the easy way, rather than learn the hard way by making the same mistakes yourself.