Security is a process, not a product. This quote at the beginning of the chapter from Bruce Schnider. This immediately struck a chord with me because it’s true. Technology in general has been seen as a product and a cog in the process. The introduction to the chapter talks about the difficulties how IT can be restrictive in the name of security, and it should not be that way. IT security is there to protect the firm and not get in the way of the firm’s purpose. Whether that is to turn a profit or facilitate change.
There is an emphasis that focuses on the technology and not management. While both are intracule, the text stresses the managing is the more difficult of, and I tend to agree. The example given was a firm can have outstanding security technology but if it lacks proper disciplined management, then you have wasted your money. These key points in chapter two again are what is key to me because if a system does not have key management in place, it will fail.
Hi Erskine,
Great insight. Personally I have always shared in the belief that no matter the technological sophistication put in place in any organization, if the human component of the information systems is not factored in, then that’s like having a treasure house with big gates but without perimeter fencing. Bruce Schnider assertion that security is a process, not a product, buttresses my point above. emphases on the importance of balancing protection with a company’s main aim, whether profit-oriented or aimed at facilitating change. The text underscores the importance of robust management alongside advanced security technology. Without effective management, even the most advanced security systems can fail, implying that the emphasis should be equally on technology and management aspects of security.
Hello Erskine, I like the beginning quote you mentioned about security being a process. That quote really stood out to me because it shows the main principle of working in this industry- that being adaptation, as technology is always changing. I also agree that managing is more difficult than technology. Any major company can pay the money necessary to buy the new tech, but not every company is able to implement proper leadership. I think this applies beyond technology. I think this most likely applies to every single industry. What I wonder is how does a company determine which is more necessary to put resources in? because sometimes the technology might be a little old but still operational, and rather than investing in better tech, they could revamp management. What goes on in the process to determine which route they choose?
I found this chapter interesting specifically in the way that it deals with human relation to IT being just as important as physical or digital security assets. the chapter goes to great lengths to detail how human interaction and perception can impact systems and security. The first mention of this is the emphasis on “weak points” in a security structure, but the chapter also deals with criticisms like treatment of employees, such as how IT staff interact with their employees and co-workers. The chapter also goes into detail on how hackers or adverse element’s perception of an organization can influence where or what they choose to target, as well as how internal company perceptions and ethics shape IT policy. This is an interesting perspective to look at, as often in IT many people tend to view security as a 1s and 0s game, where analytics is the most important element. Being able to look at security risks and threats from a different perspective, especially an unpredictable human perspective, equips specialists with new ways of perceiving not only the systems they work with, but the people as well.
With the advent of AI and cybersecurity analytics with other few technological sophistications here and there, An organization can easily be subconsciously tempted and cyber-socially conditioned to believe that translates to cyber fortification. But most that times forget that human behaviours can be very much unpredictable. Especially when there are no heuristics to such patterns. Hence, the need to not ignore or play down on the human aspect of holistic security architecture.
I found the same thing meaning how the chapter deals with the relationship between IT and the users of IT. Throughout all the different attacks and breaches I have read about, most of the time the attack happened because of the actions of an end user. A lot times unknowingly and unintentional but still this is reckless and dangerous. This is why the relationship between IT staff and the end user must be symbiotic. One cannot successfully defend the environment if those are members of the same environment do not actively participate in defense of the environment.
Boyle and Panko’s Planning and Policy encapsulate an intriguing, comprehensive examination of two pertinent business elements. The authors eloquently expound on the necessity of strategic planning and effective policy setting for the successful operation of modern organizations. This underlines the critical nature of weaving effective planning models and policy frameworks and is aptly reflected in the systematic tone of voice throughout the chapter.
This chapter provides the reader with valuable insights, primarily focusing on how planning and policy can streamline business operations, enhance competitiveness, and support change management while facilitating decision-making processes. The authors make a clear distinction between the two terms, underscoring that while planning is inherently anticipatory and directive, policy paints the overarching organisational culture and ethos.
Apart from these, the chapter discusses detailed elements such as budgeting, forecasting, resource allocation, and risk assessment. It underlines the role of effective performance measurement as a guiding star for vision formulation and strategic goal setting, thereby adding perspective to how planning converges into organizational policy.
Moreover, the authors affirm the role of planning and policy in ethical conduct and corporate responsibility. They highlight that well-founded planning lays the groundwork for ethical decision-making, while sound policies facilitate moral conduct in organizations.
Boyle and Panko have expertly sketched the crucial aspects of planning and policy in managing businesses. Their insightful interpretation underscores the importance of these tasks in forming the structure and direction of an organization.
Thank you for your thoughtful and comprehensive summary of Boyle and Panko’s chapter on Planning and Policy. Your analysis effectively captures the essence of the authors’ arguments and highlights the critical role that strategic planning and effective policy play in modern organizations.
The clear distinction between planning as an anticipatory and directive process, and policy as a shaper of organizational culture and ethos, is well articulated. Your discussion on how these elements streamline business operations, enhance competitiveness, and support change management is insightful, showcasing the broad impact of strategic planning and policy setting on organizational success.
Furthermore, your recognition of the ethical dimension is crucial. The acknowledgment of the role of planning in ethical decision-making and policies in facilitating moral conduct highlights the authors’ holistic approach to managing businesses. It underscores the authors’ perspective on how a well-structured foundation of planning and policy contributes not only to organizational success but also to ethical conduct and corporate responsibility.
In summary, your response effectively captures the depth and breadth of Boyle and Panko’s exploration of planning and policy, emphasizing their significance in shaping the structure and direction of organizations. Well done!
In this chapter, the authors delve into the pivotal role of information technology in shaping modern business infrastructure. They skillfully illustrate how the effective deployment of IT systems can have a transformative effect on business operations, bolstering efficiency and sparking innovation. The chapter point out how IT has cultivated enhanced connectivity, enabling interdepartmental communication and driving data-driven decision-making. Notably, they draw attention to the advent of cloud computing, which has reshaped the IT landscape by offering flexible and cost-effective solutions, freeing businesses from the constraints of physical infrastructure.
Furthermore, this chapter discuss the gradual shift in businesses’ perspective towards IT, acknowledging it not merely as a service department but as an essential tool for strategic development. There is focus on the elements of IT management, emphasizing the importance of aligning IT strategy with business objectives to foster growth and competitive advantage.
The chapter concludes with a cautionary note on the challenges of IT, including potential security vulnerabilities and the need for continuous tech upgrades. The authors strongly advocate for a proactive IT risk management approach to optimize system performance and safeguard against cyber threats. In its entirety, chapter 2 presents a comprehensive examination of IT’s instrumental role in shaping the corporate realm.
Hi Ikenna,
You bring up an excellent point on aligning IT strategy with business objectives. Regardless of how well-planned any cybersecurity plan is, if business objectives conflict or are even hindered by these plans, they will most likely be ineffective or outright ignored when the inevitable time comes to deal with a threat. It is essential that business and IT work together to keep an organization safe.
There were a ton of topics that stood out for me in their chapter and will go over several. One that stood out for me in this chapter is the Simple Network Management Protocol (SNMP) which enables organizations to manage remote devices from a single console. One thing that came to mind here is how that will shape the industry moving forward and what other technologies will come out that will lessen the need for employees. I also like how this chapter pointed out how to get security early in a project and not after and make it retrofit. It is more cost effective to have it at the beginning of the project vs later. This is something I will bring up in my other class I’m taking this semester, Systems and Infrastructure lifecycle management.
Elements of technical security architecture countermeasures was interesting as it pointed out countermeasures such as border management, internal site security management, management of remote connections, interorganizational systems and centralized security management and found that in interorganizational systems, two companies link some of their IT assets. I found that interesting as this is the first time I’ve heard of this and found it interesting and make me think if they link their assets together will the companies face more risk vs if they did not link? This section of the chapter also went through categories of security policies, and they are familiar with my current workplace as we have email policies, hiring, termination and PII policies in place to protect the company, employees and the customers.
Lastly, I found the governance frameworks interesting. One that stood out the most for me was the ISO/IEC 27000 series. This standard divides security into 14 areas. Some of these areas are access control, asset management, cryptography and compliance etc. One of the standards I know I will have to understand in full will be the ISO/IEC 27007 which focuses on information security systems auditing.
Hi Jeff,
Good read here. In just few words for me, ISO/IEC 27007 is a bulwark against potential lapses, privacy breaches, and numerous risks inherent in information security management.
The author gave a comprehensive explanation of security management and its pivotal role in ensuring corporate security. The author differentiated between security technology and security management, Most of us, myself included I was always focused on security technology(always defending and staying ahead of attackers) and took advantage of the amount of work and planning that went behind the scenes before the implementation of these technologies. Security management begins with the identification of an organization’s assets and current security posture, followed by the development, documentation, and implementation of policies and procedures for protecting assets.
The author made a very good point that firms should invest in things that will give them big returns. As it is hard to cover every aspect and eliminate all risks instead firms should prioritize investments in security measures that offer significant returns in terms of risk reduction, operational efficiency, regulatory compliance, and reputation protection.
Viewing security as an enabler rather than just a set of rules can make a big difference and working with other departments can help develop a security plan that works as we can view the system from the user’s point of view and understand the requirements. This can implement policies and control easily as people feel will feel included in the process. We as security personnel should remember employees are the first line of defense.
The author did a great job of introducing industry-related governance frameworks and how companies can use them to guide their security efforts. Some of these I have across in the industry and I will be exploring them more, especially the COBIT and ISO 27000.
Overall, the chapter gives a good look at all the work needed behind the scenes to build a strong security system. Security management is like the foundation of a building without it, everything else will crumble.
Mariam from your post I learnt the author provides insightful elucidation on security management’s crucial function in safeguarding corporate security. Again, he stresses the need for organizations to shift focus from solely security technology to comprehensive security management. By identifying assets and monitoring security posture, then developing, documenting, and implementing protective policies, companies can enhance risk reduction, operational efficiency, and reputation protection. This promotion of security management as a foundational element underscores the importance of personalized, inclusive security plans.
Hi Mariam, I agree with that the author’s emphasis on the pivotal role of security management in corporate security was interesting. The distinction between security technology and management is clear, and the focus on defending against attackers and prioritizing investments aligns with my perspective. The author’s point about viewing security as an enabler and collaborating with other departments is crucial. The introduction of governance frameworks like COBIT and ISO 27000 adds practical insights.
I agree with Chapter 3’s point of view, which emphasizes fostering favorable attitudes toward users. Although the adage “security is everyone’s responsibility” is frequently heard, I have seen strained relationships develop between IT/IS teams and other business divisions. Giving non-technical people an explanation of technical or security ideas may be difficult, for sure. If we as security experts can’t help the company and encourage our colleagues to develop security habits, we will still have a difficult struggle ahead of us. This idea is, in my opinion, furthered in the beginning of the chapter when it is said that security technology is easier to account for than security management. Ultimately, the people we work with and for need to be the ones protecting us from cyberattacks.
I agree with your perspective. Establishing a strong relationship between IT and users can significantly streamline operations and enhance productivity. Recognizing that employees are the first line of defense in cybersecurity, involving end users in security initiatives can promote inclusivity and foster a sense of responsibility across the organization.
This chapter began by laying emphasis on the importance of security management over security technology. People tend to focus more on technology because it is perceivable compared to management which is abstract. The security management process aims to safeguard an organization from potential threats, striving for comprehensive protection. The strength of security is contingent on its vulnerabilities, often linked to human factors. It covered the plan–protect–respond cycle and complexities of IT security management. Compliance laws and regulations such as Sarbanes–Oxley, privacy laws, PCI-DSS, and FISMA were discussed, along with the interactions between IT security departments and other organizational departments. Classic risk analysis, security architecture, policies, standards, procedures, and best practices were explored, highlighting the need for oversight, auditing, and sanctions to prevent internal fraud. The chapter concluded with an overview of governance frameworks like COSO, COBIT, and ISO 27000, providing systematic approaches to IT security planning.
Hi Chidiebere,
I’d like to expand on how you mentioned human factors are often the biggest contingent on how strong security is in an organization. A study found that up to 95% of cybersecurity incidents happen due to human error exposing a threat. This demonstrates how important it is that every person in an organization has an understanding of good cybersecurity practices and preventing threats to their organization.
I agree with you Chidiebere, The author did a good job of demonstrating the importance of security management and explored all the aspects involved with it. As emphasized, security is indeed a continuous process and a well-executed management strategy lays the groundwork for smoother implementation
Security planning and policy is extremely important to organizations as they outline how organizations can defend their assets. There are two major takeaways that I found very interesting: the idea of weakest-link failures and the plan-protect-respond cycle. Regardless of how well-planned an organization can be for threats, if even one part is inadequate or fails during the process of cybersecurity management, then the rest is useless regardless of how much planning is done. As such, ensuring that there are no weakest-links in a plan is essential to maintaining a good cybersecurity plan.
When conducting security planning, the understanding that threats will inevitably bypass existing controls needs to be planned for. As such, the plan-protect-respond cycle is essential for any organization to not only plan ahead, but also to respond timely to new threats. The ability for an organization to create a cybersecurity plan, implement adequate security controls that balance security and user accessibility, and respond to threats that will happen is essential for all organizations.
You pointed out something that I never really thought about but is obvious. That is, even if one part is inadequate or fails during the process of cybersecurity management, the rest is useless regardless of how much planning is done. I feel like then aren’t most systems or parts of cybersecurity management all a big failure? At some point a system will be penetrated or a vulnerability will be outdated to the point something new comes along and breaks the cycle. As I further read into your post, the future and upkeep of these systems are protected by the plan-protect-respond cycle.
The most interesting part of this chapter to me was part 2.5, which was on technical security architecture. Here, the authors emphasize the importance of developing a comprehensive technical security architecture for companies. Drawing an analogy to building a house with an architect’s plan, the text highlights that technical security measures, such as firewalls, hardened hosts, and intrusion detection systems, should not be implemented without an overall strategic plan. The term “architecture” suggests a deliberate and coordinated approach to security, ensuring that countermeasures are well-organized and aligned with corporate asset protection needs and external threats. The section also discusses the necessity of dealing with legacy security technologies, emphasizing the challenge of replacing them all at once and the need for strategic compensations when such technologies become ineffective. The key takeaway for me is the significance of a coherent architectural plan in fortifying a company’s security measures, aiming to create a comprehensive defense against potential attackers.
I understand and appreciate your emphasis on the significance of addressing legacy systems. It is often an overlooked aspect of security but can pose a major threat to an organization’s security. In fact, my previous employer had a few laptops running on outdated operating systems such as Windows XP/7 which were vulnerable to cyber attacks. The chapter offers valuable insights by acknowledging the challenge and proposing solutions for organizations dealing with this issue. It provides helpful guidance for companies looking to enhance their security posture. By taking a coordinated and strategic approach, organizations can build a more effective defense against cyber threats.
My favorite point of this chapter was in 2.5 Technical Security Architecture, where it went on to describe how a company/organization’s security should not be elevated individually by each system but rather by a coordinated mass overhaul that addresses every aspect of their information system/s that protects each appropriately with regard to each’s threats with a impenetrable wall with no avenues for attackers to navigate. It also covers the problem each organization has with considering their legacy security (those they previously implemented but are less effective) and how the organization has to weigh the risks of retaining that security against the cost of upgrading it to the latest innovation. I really enjoy this particular line of analysis as it comes up often in everyday life when you consider whether or not a tool you have has outlived its life span and is more a detriment than an asset.
I enjoyed reading that area as well. It’s interesting to see in practice what a comprehensive security plan would look like. The general rule that we follow is that there is no way to ensure that a system is 100 percent secure, but being able to piggyback off of other systems to enhance or enrich the security of each other is a great way to make sure that your security plans work in tandem and cooperate to elevate the status and security of your organization as a whole
The primary objective of an organization revolves around managing risks. Most people believe risk can be eliminated, but this is untrue due to human and technical errors. An organization can only try to manage the risks. To manage risks, organizations should ensure proper training of employees. People are the weakest link in an organization. If the employees have adequate training, they will be able to identify risks and know the proper precautions and procedures to follow.
Akintunde I totally get what you’re saying about managing risks, it’s like a constant juggling act whether its worth the resources. Pointing out the human factor; we’re not perfect, and neither are our tech setups. Training employees gives them skills to spot and handle risks but with that power what do you think would be the most essential thing to include in employee training for them to be able to handle more risks?
The first part I enjoyed about chapter 2 was how it mentioned technology as a concept may be easier to understand rather than management because management doesn’t have anything physical like technology. What I found interesting though is right after that, it said how security management is more important than security technology. This in of itself can bring forth many profound discussions on what it means to work in security. Later in the page it talks about how attackers only need to go through one opening to get into an organization. You can have the best technology in the world, but if management isn’t good, it can all crumble down. This can be achieved by having a security management process. You also need a top-level security management process. Which as the chapter talks about, has sections for planning, protection, and response.
Hi Hashem, I also appreciate how Chapter 2 highlights the contrast between technology and management, noting that while technology may be more tangible, the significance of security management surpasses it. The idea that attackers only need one opening to compromise an organization emphasizes the pivotal role of effective management.
I also agree that management control is more important. People are the weakest link in an organization. Management control helps to safeguard sensitive information by ensuring compliance with regulations and standards.
Security is a process, not a product. This quote at the beginning of the chapter from Bruce Schnider. This immediately struck a chord with me because it’s true. Technology in general has been seen as a product and a cog in the process. The introduction to the chapter talks about the difficulties how IT can be restrictive in the name of security, and it should not be that way. IT security is there to protect the firm and not get in the way of the firm’s purpose. Whether that is to turn a profit or facilitate change.
There is an emphasis that focuses on the technology and not management. While both are intracule, the text stresses the managing is the more difficult of, and I tend to agree. The example given was a firm can have outstanding security technology but if it lacks proper disciplined management, then you have wasted your money. These key points in chapter two again are what is key to me because if a system does not have key management in place, it will fail.
Hi Erskine,
Great insight. Personally I have always shared in the belief that no matter the technological sophistication put in place in any organization, if the human component of the information systems is not factored in, then that’s like having a treasure house with big gates but without perimeter fencing. Bruce Schnider assertion that security is a process, not a product, buttresses my point above. emphases on the importance of balancing protection with a company’s main aim, whether profit-oriented or aimed at facilitating change. The text underscores the importance of robust management alongside advanced security technology. Without effective management, even the most advanced security systems can fail, implying that the emphasis should be equally on technology and management aspects of security.
Hello Erskine, I like the beginning quote you mentioned about security being a process. That quote really stood out to me because it shows the main principle of working in this industry- that being adaptation, as technology is always changing. I also agree that managing is more difficult than technology. Any major company can pay the money necessary to buy the new tech, but not every company is able to implement proper leadership. I think this applies beyond technology. I think this most likely applies to every single industry. What I wonder is how does a company determine which is more necessary to put resources in? because sometimes the technology might be a little old but still operational, and rather than investing in better tech, they could revamp management. What goes on in the process to determine which route they choose?
I found this chapter interesting specifically in the way that it deals with human relation to IT being just as important as physical or digital security assets. the chapter goes to great lengths to detail how human interaction and perception can impact systems and security. The first mention of this is the emphasis on “weak points” in a security structure, but the chapter also deals with criticisms like treatment of employees, such as how IT staff interact with their employees and co-workers. The chapter also goes into detail on how hackers or adverse element’s perception of an organization can influence where or what they choose to target, as well as how internal company perceptions and ethics shape IT policy. This is an interesting perspective to look at, as often in IT many people tend to view security as a 1s and 0s game, where analytics is the most important element. Being able to look at security risks and threats from a different perspective, especially an unpredictable human perspective, equips specialists with new ways of perceiving not only the systems they work with, but the people as well.
With the advent of AI and cybersecurity analytics with other few technological sophistications here and there, An organization can easily be subconsciously tempted and cyber-socially conditioned to believe that translates to cyber fortification. But most that times forget that human behaviours can be very much unpredictable. Especially when there are no heuristics to such patterns. Hence, the need to not ignore or play down on the human aspect of holistic security architecture.
I found the same thing meaning how the chapter deals with the relationship between IT and the users of IT. Throughout all the different attacks and breaches I have read about, most of the time the attack happened because of the actions of an end user. A lot times unknowingly and unintentional but still this is reckless and dangerous. This is why the relationship between IT staff and the end user must be symbiotic. One cannot successfully defend the environment if those are members of the same environment do not actively participate in defense of the environment.
Boyle and Panko’s Planning and Policy encapsulate an intriguing, comprehensive examination of two pertinent business elements. The authors eloquently expound on the necessity of strategic planning and effective policy setting for the successful operation of modern organizations. This underlines the critical nature of weaving effective planning models and policy frameworks and is aptly reflected in the systematic tone of voice throughout the chapter.
This chapter provides the reader with valuable insights, primarily focusing on how planning and policy can streamline business operations, enhance competitiveness, and support change management while facilitating decision-making processes. The authors make a clear distinction between the two terms, underscoring that while planning is inherently anticipatory and directive, policy paints the overarching organisational culture and ethos.
Apart from these, the chapter discusses detailed elements such as budgeting, forecasting, resource allocation, and risk assessment. It underlines the role of effective performance measurement as a guiding star for vision formulation and strategic goal setting, thereby adding perspective to how planning converges into organizational policy.
Moreover, the authors affirm the role of planning and policy in ethical conduct and corporate responsibility. They highlight that well-founded planning lays the groundwork for ethical decision-making, while sound policies facilitate moral conduct in organizations.
Boyle and Panko have expertly sketched the crucial aspects of planning and policy in managing businesses. Their insightful interpretation underscores the importance of these tasks in forming the structure and direction of an organization.
Hi Michael,
Thank you for your thoughtful and comprehensive summary of Boyle and Panko’s chapter on Planning and Policy. Your analysis effectively captures the essence of the authors’ arguments and highlights the critical role that strategic planning and effective policy play in modern organizations.
The clear distinction between planning as an anticipatory and directive process, and policy as a shaper of organizational culture and ethos, is well articulated. Your discussion on how these elements streamline business operations, enhance competitiveness, and support change management is insightful, showcasing the broad impact of strategic planning and policy setting on organizational success.
Furthermore, your recognition of the ethical dimension is crucial. The acknowledgment of the role of planning in ethical decision-making and policies in facilitating moral conduct highlights the authors’ holistic approach to managing businesses. It underscores the authors’ perspective on how a well-structured foundation of planning and policy contributes not only to organizational success but also to ethical conduct and corporate responsibility.
In summary, your response effectively captures the depth and breadth of Boyle and Panko’s exploration of planning and policy, emphasizing their significance in shaping the structure and direction of organizations. Well done!
In this chapter, the authors delve into the pivotal role of information technology in shaping modern business infrastructure. They skillfully illustrate how the effective deployment of IT systems can have a transformative effect on business operations, bolstering efficiency and sparking innovation. The chapter point out how IT has cultivated enhanced connectivity, enabling interdepartmental communication and driving data-driven decision-making. Notably, they draw attention to the advent of cloud computing, which has reshaped the IT landscape by offering flexible and cost-effective solutions, freeing businesses from the constraints of physical infrastructure.
Furthermore, this chapter discuss the gradual shift in businesses’ perspective towards IT, acknowledging it not merely as a service department but as an essential tool for strategic development. There is focus on the elements of IT management, emphasizing the importance of aligning IT strategy with business objectives to foster growth and competitive advantage.
The chapter concludes with a cautionary note on the challenges of IT, including potential security vulnerabilities and the need for continuous tech upgrades. The authors strongly advocate for a proactive IT risk management approach to optimize system performance and safeguard against cyber threats. In its entirety, chapter 2 presents a comprehensive examination of IT’s instrumental role in shaping the corporate realm.
Hi Ikenna,
You bring up an excellent point on aligning IT strategy with business objectives. Regardless of how well-planned any cybersecurity plan is, if business objectives conflict or are even hindered by these plans, they will most likely be ineffective or outright ignored when the inevitable time comes to deal with a threat. It is essential that business and IT work together to keep an organization safe.
Jeff Sullivan
MIS 5214
Week 3
Temple University
There were a ton of topics that stood out for me in their chapter and will go over several. One that stood out for me in this chapter is the Simple Network Management Protocol (SNMP) which enables organizations to manage remote devices from a single console. One thing that came to mind here is how that will shape the industry moving forward and what other technologies will come out that will lessen the need for employees. I also like how this chapter pointed out how to get security early in a project and not after and make it retrofit. It is more cost effective to have it at the beginning of the project vs later. This is something I will bring up in my other class I’m taking this semester, Systems and Infrastructure lifecycle management.
Elements of technical security architecture countermeasures was interesting as it pointed out countermeasures such as border management, internal site security management, management of remote connections, interorganizational systems and centralized security management and found that in interorganizational systems, two companies link some of their IT assets. I found that interesting as this is the first time I’ve heard of this and found it interesting and make me think if they link their assets together will the companies face more risk vs if they did not link? This section of the chapter also went through categories of security policies, and they are familiar with my current workplace as we have email policies, hiring, termination and PII policies in place to protect the company, employees and the customers.
Lastly, I found the governance frameworks interesting. One that stood out the most for me was the ISO/IEC 27000 series. This standard divides security into 14 areas. Some of these areas are access control, asset management, cryptography and compliance etc. One of the standards I know I will have to understand in full will be the ISO/IEC 27007 which focuses on information security systems auditing.
Hi Jeff,
Good read here. In just few words for me, ISO/IEC 27007 is a bulwark against potential lapses, privacy breaches, and numerous risks inherent in information security management.
The author gave a comprehensive explanation of security management and its pivotal role in ensuring corporate security. The author differentiated between security technology and security management, Most of us, myself included I was always focused on security technology(always defending and staying ahead of attackers) and took advantage of the amount of work and planning that went behind the scenes before the implementation of these technologies. Security management begins with the identification of an organization’s assets and current security posture, followed by the development, documentation, and implementation of policies and procedures for protecting assets.
The author made a very good point that firms should invest in things that will give them big returns. As it is hard to cover every aspect and eliminate all risks instead firms should prioritize investments in security measures that offer significant returns in terms of risk reduction, operational efficiency, regulatory compliance, and reputation protection.
Viewing security as an enabler rather than just a set of rules can make a big difference and working with other departments can help develop a security plan that works as we can view the system from the user’s point of view and understand the requirements. This can implement policies and control easily as people feel will feel included in the process. We as security personnel should remember employees are the first line of defense.
The author did a great job of introducing industry-related governance frameworks and how companies can use them to guide their security efforts. Some of these I have across in the industry and I will be exploring them more, especially the COBIT and ISO 27000.
Overall, the chapter gives a good look at all the work needed behind the scenes to build a strong security system. Security management is like the foundation of a building without it, everything else will crumble.
Mariam from your post I learnt the author provides insightful elucidation on security management’s crucial function in safeguarding corporate security. Again, he stresses the need for organizations to shift focus from solely security technology to comprehensive security management. By identifying assets and monitoring security posture, then developing, documenting, and implementing protective policies, companies can enhance risk reduction, operational efficiency, and reputation protection. This promotion of security management as a foundational element underscores the importance of personalized, inclusive security plans.
Hi Mariam, I agree with that the author’s emphasis on the pivotal role of security management in corporate security was interesting. The distinction between security technology and management is clear, and the focus on defending against attackers and prioritizing investments aligns with my perspective. The author’s point about viewing security as an enabler and collaborating with other departments is crucial. The introduction of governance frameworks like COBIT and ISO 27000 adds practical insights.
I agree with Chapter 3’s point of view, which emphasizes fostering favorable attitudes toward users. Although the adage “security is everyone’s responsibility” is frequently heard, I have seen strained relationships develop between IT/IS teams and other business divisions. Giving non-technical people an explanation of technical or security ideas may be difficult, for sure. If we as security experts can’t help the company and encourage our colleagues to develop security habits, we will still have a difficult struggle ahead of us. This idea is, in my opinion, furthered in the beginning of the chapter when it is said that security technology is easier to account for than security management. Ultimately, the people we work with and for need to be the ones protecting us from cyberattacks.
I agree with your perspective. Establishing a strong relationship between IT and users can significantly streamline operations and enhance productivity. Recognizing that employees are the first line of defense in cybersecurity, involving end users in security initiatives can promote inclusivity and foster a sense of responsibility across the organization.
This chapter began by laying emphasis on the importance of security management over security technology. People tend to focus more on technology because it is perceivable compared to management which is abstract. The security management process aims to safeguard an organization from potential threats, striving for comprehensive protection. The strength of security is contingent on its vulnerabilities, often linked to human factors. It covered the plan–protect–respond cycle and complexities of IT security management. Compliance laws and regulations such as Sarbanes–Oxley, privacy laws, PCI-DSS, and FISMA were discussed, along with the interactions between IT security departments and other organizational departments. Classic risk analysis, security architecture, policies, standards, procedures, and best practices were explored, highlighting the need for oversight, auditing, and sanctions to prevent internal fraud. The chapter concluded with an overview of governance frameworks like COSO, COBIT, and ISO 27000, providing systematic approaches to IT security planning.
Hi Chidiebere,
I’d like to expand on how you mentioned human factors are often the biggest contingent on how strong security is in an organization. A study found that up to 95% of cybersecurity incidents happen due to human error exposing a threat. This demonstrates how important it is that every person in an organization has an understanding of good cybersecurity practices and preventing threats to their organization.
https://cybernews.com/editorial/world-economic-forum-finds-that-95-of-cybersecurity-incidents-occur-due-to-human-error/
I agree with you Chidiebere, The author did a good job of demonstrating the importance of security management and explored all the aspects involved with it. As emphasized, security is indeed a continuous process and a well-executed management strategy lays the groundwork for smoother implementation
Security planning and policy is extremely important to organizations as they outline how organizations can defend their assets. There are two major takeaways that I found very interesting: the idea of weakest-link failures and the plan-protect-respond cycle. Regardless of how well-planned an organization can be for threats, if even one part is inadequate or fails during the process of cybersecurity management, then the rest is useless regardless of how much planning is done. As such, ensuring that there are no weakest-links in a plan is essential to maintaining a good cybersecurity plan.
When conducting security planning, the understanding that threats will inevitably bypass existing controls needs to be planned for. As such, the plan-protect-respond cycle is essential for any organization to not only plan ahead, but also to respond timely to new threats. The ability for an organization to create a cybersecurity plan, implement adequate security controls that balance security and user accessibility, and respond to threats that will happen is essential for all organizations.
Hey Kenneth, Nice Post.
You pointed out something that I never really thought about but is obvious. That is, even if one part is inadequate or fails during the process of cybersecurity management, the rest is useless regardless of how much planning is done. I feel like then aren’t most systems or parts of cybersecurity management all a big failure? At some point a system will be penetrated or a vulnerability will be outdated to the point something new comes along and breaks the cycle. As I further read into your post, the future and upkeep of these systems are protected by the plan-protect-respond cycle.
The most interesting part of this chapter to me was part 2.5, which was on technical security architecture. Here, the authors emphasize the importance of developing a comprehensive technical security architecture for companies. Drawing an analogy to building a house with an architect’s plan, the text highlights that technical security measures, such as firewalls, hardened hosts, and intrusion detection systems, should not be implemented without an overall strategic plan. The term “architecture” suggests a deliberate and coordinated approach to security, ensuring that countermeasures are well-organized and aligned with corporate asset protection needs and external threats. The section also discusses the necessity of dealing with legacy security technologies, emphasizing the challenge of replacing them all at once and the need for strategic compensations when such technologies become ineffective. The key takeaway for me is the significance of a coherent architectural plan in fortifying a company’s security measures, aiming to create a comprehensive defense against potential attackers.
I understand and appreciate your emphasis on the significance of addressing legacy systems. It is often an overlooked aspect of security but can pose a major threat to an organization’s security. In fact, my previous employer had a few laptops running on outdated operating systems such as Windows XP/7 which were vulnerable to cyber attacks. The chapter offers valuable insights by acknowledging the challenge and proposing solutions for organizations dealing with this issue. It provides helpful guidance for companies looking to enhance their security posture. By taking a coordinated and strategic approach, organizations can build a more effective defense against cyber threats.
My favorite point of this chapter was in 2.5 Technical Security Architecture, where it went on to describe how a company/organization’s security should not be elevated individually by each system but rather by a coordinated mass overhaul that addresses every aspect of their information system/s that protects each appropriately with regard to each’s threats with a impenetrable wall with no avenues for attackers to navigate. It also covers the problem each organization has with considering their legacy security (those they previously implemented but are less effective) and how the organization has to weigh the risks of retaining that security against the cost of upgrading it to the latest innovation. I really enjoy this particular line of analysis as it comes up often in everyday life when you consider whether or not a tool you have has outlived its life span and is more a detriment than an asset.
I enjoyed reading that area as well. It’s interesting to see in practice what a comprehensive security plan would look like. The general rule that we follow is that there is no way to ensure that a system is 100 percent secure, but being able to piggyback off of other systems to enhance or enrich the security of each other is a great way to make sure that your security plans work in tandem and cooperate to elevate the status and security of your organization as a whole
The primary objective of an organization revolves around managing risks. Most people believe risk can be eliminated, but this is untrue due to human and technical errors. An organization can only try to manage the risks. To manage risks, organizations should ensure proper training of employees. People are the weakest link in an organization. If the employees have adequate training, they will be able to identify risks and know the proper precautions and procedures to follow.
Akintunde I totally get what you’re saying about managing risks, it’s like a constant juggling act whether its worth the resources. Pointing out the human factor; we’re not perfect, and neither are our tech setups. Training employees gives them skills to spot and handle risks but with that power what do you think would be the most essential thing to include in employee training for them to be able to handle more risks?
The first part I enjoyed about chapter 2 was how it mentioned technology as a concept may be easier to understand rather than management because management doesn’t have anything physical like technology. What I found interesting though is right after that, it said how security management is more important than security technology. This in of itself can bring forth many profound discussions on what it means to work in security. Later in the page it talks about how attackers only need to go through one opening to get into an organization. You can have the best technology in the world, but if management isn’t good, it can all crumble down. This can be achieved by having a security management process. You also need a top-level security management process. Which as the chapter talks about, has sections for planning, protection, and response.
Hi Hashem, I also appreciate how Chapter 2 highlights the contrast between technology and management, noting that while technology may be more tangible, the significance of security management surpasses it. The idea that attackers only need one opening to compromise an organization emphasizes the pivotal role of effective management.
I also agree that management control is more important. People are the weakest link in an organization. Management control helps to safeguard sensitive information by ensuring compliance with regulations and standards.