When I ask clients about their IT security strategy, I am generally surprised at the responses I receive. Most of the time, they give me a list of security program elements currently in play: firewalls, vulnerability management, IDS, anti-virus, etc.
But just as a shopping list does not constitute a three-course dinner, a list of elements is not the same as an IT security strategy. Nor is it the most optimal place to begin building one!
The next most common response I get, is that there is no formal, documented security strategy in place. The company simply “does its best to keep hackers out and protect against breaches”. (more…)