Monday, 11 February 2013

Myth #10: We have a security plan

We have a security plan, and I can point you to the binder that contains it.  It’s got all the sections that the consultants told us we needed: policy, risk management, personnel security, information classification, incident management and BCP.  So we must be secure!

No doubt the magic binder is in the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'.

Plans that exist only for compliance purposes aren’t functional, and quite literally aren’t worth the paper they are written on.  No-one knows about them, no-one follows them, no-one keeps them up to date.  The only thing that they really are useful for is waving at clueless auditors.

That said, we have a security plan at CQR.  Actually we have a security management system certified to ISO 27001.  But you’d expect that of a security company.  This is because we practice what we preach.

So here’s the preaching: security plans only work if they are part of the day to day operations.  If they are just what you do, not what you drag out to appease the auditors, then practical and pragmatic plans really do add value.  I know it’s a cliché, but security really is a journey, not a destination, with a security plan being the map.

With a good plan, security is easy and this myth is confirmed.

Phil Kernick Chief Technology Officer