Improving Security Without a Security Team
Professionally speaking, if I could wave a magic wand I would provide security support to every company, agency and organization, regardless of size, industry, or age. Unfortunately, too many organizations can’t find or afford a security team, let alone a Chief Information Security Officer (CISO). The task of “doing security” falls to some poor schmuck, usually in IT, who has to try to make security happen while also doing their day job, a herculean task if ever there was one. Even if there is a team, often they are under-resourced and over-worked, and managing security on their own can be overwhelming.
Something that is often overlooked by business leaders and security leaders alike, is that there are things a business can do to reduce its security risk, or improve its security capabilities, without doing anything that requires a security program, tool or service — and doesn’t involve outsourcing services to a security company. Small companies, start ups, and organizations struggling to resource security properly may wish to consider some of these things…
Data Management and Reduction Plan
You don’t need a security team to classify your data and get rid of data you no longer need. Ask yourself (or your teams):
- What data elements do we collect, not just from customers, but also from partners, employees, contractors and stakeholders?
- Do we need to collect it in the first place? (for example, do you need an entire birthdate, or is simply collecting day/month or month/year enough?)
- After we’ve collected it, do we need to keep it, or can we delete it immediately? (e.g. do you need to keep a birth certificate or transcript or drivers license, or once you’ve seen/verified the information on it can you mark the record as “verified” then delete the document?)
- How long do we need to keep it? There can be regulations that require data is kept a certain time (legal/tax documents, medical records, etc), so it’s OK that you are keeping things for at least that time. If you’re keeping it longer than that, ask yourself why and make sure your reason is defensible (“in case we need it later” doesn’t…