Exactly half of survey respondents said their organization is considering making a change to its infosec management model. Among those organizations considering a change, 78 percent cite concerns about breaches and data loss as a top factor.
With the seemingly constant stream of new threats, how do organizations that have had an infosec model in place for several years keep their security policies relevant?
The Bank of Labor takes a methodical approach to updating its formal policies, but is quick to tweak procedures in response to threats.“The purpose of our policies is to be at a high level, not to cover every eventuality out there,” Shaun Miller, the bank’s information security officer, told Computerworld. “We update procedures for tactical, day-to-day stuff, but when it comes to our strategic direction on security going forward, we change our policies in a limited fashion so as to not overwhelm users.”
As an example, the bank recently blocked Flash, a move that Miller said the firm doesn’t consider a change to policy. “Our board of directors approves policy and they don’t know what Flash is or what it does. It’s just an example of a simple, day-to-day business response to threats as needed.”
For more insights from this research, download the State of Information Security report.