March 3, 2018
Dear Austin ISSA members,
We all know that outreach and awareness are keys to the delivery of a good security program for any company so why do so many companies still think of security as a technology solution? Part of the problem is our fault because we point fingers every time something fails, we often stress technical solutions or we advise companies to mitigate risks that are not applicable to them.
If businesses were to mitigate every form of risk then they would be so heavily burdened with overhead and administrative costs that the business would eventually collapse under its own weight. Businesses cannot mitigate every form of risk so they prioritize and address the high priority risks. A local grocery store, for example, may consider slips and falls as a higher risk over shoplifting so it may invest its limited budget in slip resistant floors instead of CCTV’s. The store is not denying the risk of losing goods because of shoplifting but litigation as a result of a fall may be far costlier. The store may implement a cost-effective technique against shoplifting by instructing its employees to keep an eye out for shoplifters and a procedure for reporting suspicious activity.
Security needs to be addressed in the same manner. A small startup that processes credit cards would obviously need to be PCI compliant, so abiding by the twelve requirements would be obviously far more important than addressing the Spectre and Meltdown threats. From our perspective, the business may be refusing to implement security best practices but we’re not responsible for hiring and training the extra IT experts needed to address every possible threat. Extra employees obviously cost extra money and we need to be aware of this limitation.
Good outreach and awareness not only requires prioritization but it also means we must listen to the needs of the various business sectors. Notifying businesses that they need to address every vulnerability imaginable implies that we’re crying wolf. Look at it this way, security-related events in the news media focus on data breaches, ransomware and crypto currency utilization; how many reports do you read about SCADA or medical IoT compromises? Businesses rely heavily on the media to influence their decision so until Spectre and Meltdown compromises become big news don’t expect businesses to consider them as high priority.
Our chapter’s focus this year is to improve outreach and awareness to the Austin business community. Contact a board member if you are interested in helping us achieve our goals.
President, ISSA Capitol of Texas chapter