Last week, the US-based National Institute for Standards and Technology (NIST) issued new guidelines on monitoring information security across computer networks, devices and software. In the wake of a series of high profile data breaches, the recommendations reiterate the ongoing need for companies to take control of their IT security strategies and policies.
A key message in the guidelines is that an effective, continuously monitored information security programme helps organisations move from purely compliance-driven to data-driven risk management.
This is an important shift for many organisations; while no one can deny the ongoing, growing need to comply with increasingly complex regulations, there’s more to security than box checking. As the NIST points out, data-driven risk management gives organisations the information they need to “support risk response decisions, security status information and ongoing insight into security control effectiveness.”
On the face of it, it all sounds very complicated. Monitoring all risks while negotiating a path through compliance leaves a lot of organisations bound up in so much red tape that they simply opt for what looks to be the easiest route: lock, block and limit communications. As we’ve seen so many times before, this is a self-defeating approach that ultimately holds companies back.
We operate in a dynamic business environment, not a vacuum; companies need to be flexible and agile. This calls for equal measures of self knowledge and threat understanding – and effective monitoring can help get you there. Security should be about policy, not policing, and quality risk assessment drives quality policy, which in turn allows your organisation to communicate with confidence.
Monitor. Communicate. Educate. Security policy should drive technology, not the other way around.