Your company will fail

CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
What is your companies biggest security short fall and how would you fix it?

-Disaster preparation and recovery

-Network and hardware vulnerabilities

-Data at rest security

-Policy and enforcement

-Operations security

-Any others that are unique to your company

Comments

  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    If I was only to pick one mine would be disaster prep.

    We had an incident a few weeks ago and **** hit the fan fast ha ha.

    Although I could say that we have almost all of those problems listed.



    ...realistically we need a body that was ONLY responsible for that program. Our company uses the "security guy" term and we have to manage all the programs with a shortage of people...
  • kiki162kiki162 Member Posts: 635 ■■■■■□□□□□
    End User Training
    Having Management fully embrace IT security seriously = usually s*** has to hit the fan hard at the top
    Cross Training other IT folks = So they know what to do for basic Level I type of stuff
  • dave330idave330i Member Posts: 2,091 ■■■■■■■■■■
    Interesting DR case study: Cantor Fitzgerald - Forty-Seven Hours
    2018 Certification Goals: Maybe VMware Sales Cert
    "Simplify, then add lightness" -Colin Chapman
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    dave330i wrote: »
    Interesting DR case study: Cantor Fitzgerald - Forty-Seven Hours

    That is the first internet story I have actually read from start to finish in a long time

    Amazing story.

    Solidifies the need for planning as ONE event can take down an entire multimillion dollar company.

    Great share thx
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    kiki162 wrote: »
    End User Training
    Having Management fully embrace IT security seriously = usually s*** has to hit the fan hard at the top
    Cross Training other IT folks = So they know what to do for basic Level I type of stuff
    Usually I would say that insiders are where most of our threats are but after our last "event" I would say having a recovery plan THAT ACTUALLY WORKS is a must.

    Because although you might lose some secrets here and there from insiders/hackers you can still operate.

    So many companies just have disaster plans to check a box and only fully realize the spirit of a plan once an emergency happens.

    I have seen a company have a fully certified COOP plan that was tested and all. One day they lost both primary and alternate power. Although they had tested a power outage, they only tested it for a few seconds just to see everything come up. When they actually had a full outage everything went back up as planned, but they did not plan for the length of the outage. Needless to say the UPS only held for a few minutes and died....along with a few employees careers, Gigs of data and a few network components.
  • Matt2Matt2 Member Posts: 97 ■■□□□□□□□□
    If I told you I'd have to kill you.

    I do know that I'd be quite happy to have good asset management in place across the board and not just for important environments.
  • varelgvarelg Banned Posts: 790
    Disaster recovery.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    All of the above
  • alias454alias454 Member Posts: 648 ■■■■□□□□□□
    I think much of what you are describing falls into the basics. Here is an interesting article that discusses learning how to walk before you run https://danielmiessler.com/blog/failing-at-the-basics-in-intelligence-and-infosec/. The idea that some whiz bang device/application will somehow solve all of our troubles is a misguided one if we don't do the basics.

    I think you also mentioned another key area for improvemnt within infosec or just orginizations in general. Lack of testing the plan, results in failures. There is a reason why we practice fire drills. We know that practicing the plan, saves lives when the real thing occurs.
    “I do not seek answers, but rather to understand the question.”
Sign In or Register to comment.