Most corporations suffer from the delusion that a small team of cybersecurity experts buried within the bowels of IT (or elsewhere) can protect the other 99%+ of the company’s workforce from exposing business-sensitive or business-critical information to malicious external actors. Unfortunately, this same delusion exists within many IT shops. 95%+ of the IT staff members blithely assume that the security team (which may only represent 5% or less of the total IT staff) will keep them all out of trouble. These delusions have proven to be false many, many times but they persist nevertheless.
In the current age of widespread security awareness, almost every enterprise has established a security program. A security program consists of policies established by the CISO or ranking security leader, operational controls that enforce the policies, work rules and procedures that implement the controls, tools that support the rules and procedures, and a security operations team that employs the tools to monitor the rules and procedures and audit the consistency and effectiveness of the controls. This sounds complicated but the key components of a successful security program are well understood by most IT shops and have been implemented to one degree or another in most enterprises.
To read this article in full, please click here