Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Security Should Be Expanded To Departments Other Than IT: CII-KPMG (www.bgr.in)

Posted by msmash on from the better-measures dept.

An anonymous reader shares a BGR report: Cyber threats today are no longer restricted to a company's communications and IT domains, calling for more than just technical controls to avert attacks and protect the business from future risks and breaches, a new report said. According to the joint report of the Confederation of Indian Industry (CII) and KPMG, cyber security today embraces multiple units of an organization like human resource, supply chain, administration and infrastructure. It, therefore, requires governance at the highest levels. "It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust," said Richard Rekhy, Chief Executive Officer, KPMG, India.

5 of 38 comments (clear)

  1. Yes and no by Chas · · Score: 3, Insightful

    Do I agree that other departments need training in security?

    HELL THE FUCK YES! The nastiest hole in most security systems are the stupid meatbags being stupid on their computers.

    Do I think that there should be SOME input back from these other departments too? Sure. But in a healthy organization, this is already the case.

    Do I think that these departments should be given policy and decision making powers over security policy?

    HELL THE FUCK NO! That's like putting a blind and deaf sheep that's considered stupid (even by sheep standards) in charge of a flock in an unfenced field in wolf country.

    In short, while feedback is welcome, and good ideas are always welcome, managerial control isn't. Because it's not their job.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:Yes and no by lgw · · Score: 2

      It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust

      Wow, buzzword bingo in a single quote. Where's Weird Al when you need him? Right here!

      This consultant must have been toning it down though. I would have a expected a "proven methodology" and "commitment to quality" in there somewhere, and maybe a "seamless integration" too.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Ignorance shouldn't be an excuse. by jellomizer · · Score: 3, Informative

    The biggest problem in IT Security, is all the decision (those people outside of IT) claim ignorance, as those IT guys just talk techno babble.

    So when there is legitimate problems, they just ignore IT and tell them to fix it. Vs. trying to take some time to learn about the problem and see if there are other solutions than just a computer fix.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Ignorance shouldn't be an excuse. by tnk1 · · Score: 3, Insightful

      Yes. You can employ all the latest technical tricks and safeguards and the HR assistant is still going to send a list of all of your social security numbers to a "hacker" due to a badly formatted email that purports to be from the CEO. The number of times that outside parties simply pretend to be someone else and demand sensitive data to be sent to them, and it *works* is absurdly high. This is because people aren't trained and more to the point, have not been told that security is not their responsibility nor their manager's.

      I agree that the Information Security group (NOT the IT department, unless you're too small for an IS group) should be crafting policy and training, and they should accept feedback about their efforts from the other groups, but ultimately they should not be overruled on InfoSec rules by the other departments unless there is executive sign off *in writing* to exceptions.

  3. Re:Technical solutions for social probs don't work by XXongo · · Score: 3, Insightful

    We are all aware that technical solutions for social problems don't work. People will write down their passwords, because they have too many.

    It's been shown that writing down your password is pretty much the safest thing you can do. If I can't write it down, I can guarantee my password is going to have to be something like puppydogN, and I'm going to use the same one on every single system because I can't memorize fifty different passwords and remember which one goes with which login.

    What pisses me off most are the a$$holes in computer security who are now making me change my passwords to a new one every 90 days. Nobody has ever shown that this makes anything safer.