Organizational Security: Automation is Key
In today's era of modern work and collaboration, the key is adaptation. I often encounter discussions with companies entrenched in old habits. Take, for instance, conversations about migrating to the cloud. When they mention their folder structure, I grow increasingly concerned. It seems many still perceive folders as if they were in the Windows 95 era—a local structure on a central storage.
While it's acceptable to continue using this approach, it's not conducive to modern work practices. However, the real issue arises when these organizations attempt to integrate “modern features” like sharing and collaborative editing into their "old structure." At that point, I feel compelled to interject and bring security concerns into the discussion.
Organizational security vs IT Security
What consistently surprises me is what ensues. They present all these tools for IT security. We have MFA in place, Firewalls, and so forth. True, that's IT security progress over the past 30 years. We've witnessed numerous innovations in this domain. My perennial question then becomes: What about Organizational Security? What measures have been taken there? The typical response usually revolves around updating policies, perhaps followed by mentioning a training program or deferring the matter to the CISO's jurisdiction.
What does the Artificial Intelligence say?
Somehow I didn’t feel heart when I told them that IT-Security and Organizational Security is not the same, thanks to LLM’s (e.g. Copilot, ChatGPT) my strategy now is: Ask the AI “what is the difference between IT Security and Organizational Security?”
The output likely is as follows:
Certainly! Here are the bullet points with leading zeros:
IT Security:
- Primarily focuses on protecting digital assets from cyber threats.
- Involves implementing technical solutions to safeguard IT infrastructure.
- Often includes deploying security tools and technologies.
Organizational Security:
- Concerned with managing risks to the organization as a whole.
- It includes broader aspects of security, including governance, risk management, compliance, and employee awareness.
- Involves developing and enforcing security policies, guidelines, and training programs.
While IT security implementations typically involve the deployment of security tools and technologies, organizational security implementations focus on establishing guidelines, policies, and practices to govern security-related activities across the organization. However, it's essential to note that there can be overlap between the two, as effective organizational security often requires the use of IT security tools and vice versa.
It seems like in IT Security, the focus is on leveraging technology, whereas Organizational Security centers around policies and guidelines. But why is that the case?
In IT Security, we've embraced automation to streamline our policies and procedures. So, why haven't we done the same for Organizational Security?
Conclusions: Gewohnheitstier “Creature of Habit”
My sole explanation is the “Gewohnheitstier” / “Creature of Habit” we focus on refining our definitions and policies rather than considering automation and operationalizing them.
We should do better; social engineering is one of the most significant threats to our systems. Automation of Policies is the way to go.