After having answered the “what could happen?” question we can move forward by asking ourselves “what can I do?”
In the corporate world this question can be a real nightmare as you (technical knowledge) have to convince the management (decision making) to approve a purchase (financial approval). This in itself would be hard enough, however, to this we need to add the lack of technical knowledge of the management and the already prioritized budget. In summary you are stuck with the below table where everyone has limited knowledge thus creating a very thin path to be navigated for a successful investment decision.
The initial prioritization will avoid the formation of unnecessary bottlenecks. Have you ever met the IT guy who thinks the company never approves his purchase demands? This can be one of the reasons, you ask for too much and you get nothing.
IT, just like any other department should work on “interdepartemental communication”. Sales, Accounting, Human Ressources, Business Development all have different mentalities. A salesman can feel that a discussion on a specific tax form made in a foreign language just as a technical document would be at least “difficult to understand” for someone in Human Ressources. IT should be able to provide concrete threats and simple answers to the Management which in turn should explain Finances why this purchase shouldn’t be trivialized.
The “what can I do?” question should also be reformulated as “what can we do?”, simply because security can NOT be the responsability of IT alone. Everyone who operates a computer within the organization and anyone who has or has access to “sensible knowledge” must take responsability. “Sensible knowledge” about a comany is very easy to spot, it’s anything you wouldn’t like to see on the Frontpage of tomorrow’s newspaper.
A minimum level of security can only be reached if all stakeholders do their part. Otherwise that firewall will only be “another IT purchase” and not the superman you were hoping it to be.