I’m disappointed when I hear leaders speak about security and they mention a firewall first. Is it essential to your infrastructure? Of course! But you don’t throw in a Palo Alto or Fortigate and call that your security initiative for the year. Security is about diligence. It’s about connections and empowering people to make better choices.
To me the diligence comes in on the technical side. Patching and updating are essential to keeping your infrastructure and end points secure. If you have 30 updates waiting to be run on your database server, someone isn’t doing their job. If firmware on your switches hasn’t been touches in some time, again someone isn’t doing their job. In multiple organizations I’ve seen users grumble about the updates pushed out to their computers, but its another essential piece to the puzzle.
That brings me to connections. Users squawk about updates because they likely simply see it as an impediment to getting their work done. Education is key, because the security aspect of running updates is likely the furthest from their mind…and there’s nothing wrong with that. It’s our role to educate.
Educating your colleagues on other aspects – identifying phishing schemes, building good passwords and the advantages of two-step authentication are all things that help both the organization and the person. Those pieces are part of helping to secure the human, as SANS calls it. The human is the most important part of the equation because they make choices everyday that we have no control over, and we shouldn’t want to lock things down to exact our control. Empowerment with knowledge is THE target for those of us in charge of IT in organizations. Without knowledge in people’s hands, the best cyber appliances in the world won’t do us a lick of good.