One of the biggest misconceptions about security and risk management when it comes to IT is the idea that an organization can spend their way to safety. While it is critical that you utilize proper technology tools like data backups, firewalls, antivirus, etc., to act as a defense against the variety of risks posed by integrating technology into your key workflows, these products are not a cure-all.
Security products are only as good as the people who manage them and the users who ultimately work alongside them. That’s why you need a policy to define the proper use of the technologies you have in place.
Let’s just consider Antivirus software, which has been universally accepted as a key component to any security strategy. Certainly, Antivirus software helps prevent infection if a bad file is sent to you in an email, or if you happen to visit the wrong website, but trusting Antivirus too much is just like swimming with the sharks in the ocean simply because it’s probably safe. Maybe the safety measures you put in place, like Antivirus, can prevent disaster from happening, but perhaps the wiser decision would be to stay out of the dangerous areas to begin with. And sometimes, even when you think it’s safe, bad things can happen. Products sometimes fail.
This metaphor is an important lesson to think about for anyone concerned about managing risk. Security products are only as good as the people who manage them and the users who ultimately work alongside them.
But it’s not just behaviors using technology we need to control. It’s equally important to define the roles and expectations of staff and partners when security/risk management systems are implemented during a critical event. A backup solution can work really well, as long as it has been monitored, tested, and a process is defined for how and when this tool is utilized. What if you need to recover data, and you don’t know who does the work? Or what if you recover a server from an image, and you write over critical information you actually needed in the process?
So security and risk management tools are critical, but they are only as good as the people and the processes managing them. That’s why we help our clients develop IT policies to either fit general best practices, or specific compliance and regulatory standards. Security and risk management are disciplines, and we believe in being an active partner in your strategy so you can feel comfortable that all aspects of your IT Management are considered.
About the Author
Ben Schmerler is a vCIO Consultant at DP Solutions, one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or website: www.dpsolutions.com.