There is no silver bullet for how best to bake InfoSec into
the behaviour of a company. There will not be much uptake until the benefits of
doing this are clear and the penalties become concrete.
The UK’s Information Commissioner’s Office (ICO) has first concentrated on government bodies with respect to DPA infringements and fines but it will also focus on private enterprise when it gets its mechanisms polished. Your company will want to be in a good place then.
The pace of technology is dictating how quickly the traditional role of InfoSec can become redundant. Cloud-based solutions for example allow internal teams to easily adopt a technology without considering the risks. Why? These offerings are 'plug and play' with very low entry barriers. If InfoSec remains a high barrier checkpoint, it will be circumvented. Unfortunately that could lead to a breach and consequential damage to your company.
InfoSec teams need to restructure their position and offering within organisations. InfoSec has to secure more leverage for its function via addition to the development process or continue in the role of final arbiter with respect to near go-live projects. The first opinion is more practical.
To accomplish that takes commitment to advertising the skills and utilities an InfoSec team can offer. Internal blogs are a good place to start. They are easy to publish and do make an impact when done regularly in an engaging fashion.
When the content is consistent, interesting and informative staff appreciate the value of company information, how it is being protected and what role they can play in keeping data secured.
Comments