There is a common problem in the cyber security industry, something that holds many organisations back in their maturity. Quite simply, too many organisations treat initiatives or solutions in isolation. They don’t understand the linkage between an initiative and an overall goal, or the pathways to defining and achieving that goal. We have dislocated security teams running dislocated initiatives and wonder why we are not progressing at the pace we should.
You might disagree. You might think this isn’t something you do. But let’s run through a straightforward example and see where you sit.
How many organisations have a requirement to run a security awareness programme and maybe include phishing simulations in that? Frankly, lots. But how many ran through the process of first defining an overall goal and the various links and dependencies to make that happen?
All too often, security “experts” say their overall goal is to raise awareness in their organisation or measure preparedness, when neither has any meaning in terms of a goal. Awareness is not an overall goal. Awareness in itself gets you little unless you understand the linkage. Here’s an explanation.
