Everything you ever wanted to know about security policy management, and much more.
Welcome to the fourth blog in our special series, Mitigating Gartner’s Network Security Worst Practices.
In this post we’ll cover the worst practice of “Insufficient Focus on Users and Business Requirements” which Gartner also fondly calls “That’s what our policy says”[1]. According to research, “Security projects that are owned exclusively within the security team face the risk of neglecting business and user requirements, which are too often seen as constraints.”
I believe Einstein said that “Two things are infinite: the universe and human stupidity; and I’m not sure about the universe!” Security teams are often guilty of taking this concept to the extreme, assuming business users will do stupid things which only a strict security policy can prevent. However, it does not take an Einstein to understand that, as crazy as this notion may sound, security is here to enable business, and not the other way around.
While not always easy, I believe this worst practice can be much improved by taking the following steps:
To summarize, as with avoiding most of the worst practices, we believe security teams should ensure they adopt the right mentality (think meeting every morning, holding hands and chanting “The end user is not the enemy”), incentivize the right actions (read the Gartner report for more great ideas) and make sure to have the right solutions to align security operations with the business.
About the Mitigating Gartner’s Network Security Worst Practices Blog Series
In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.
[1] Source: Gartner, Avoid these “Dirty Dozen” Network Security Worst Practices, by Andrew Lerner, Jeremy D’Hoinne, January 8, 2015.
Receive notifications of new posts by email.