- Not Anymore, Continued
- Known Vulnerabilities and Known Exploits
- Targeted Threats
- Critical Systems and Threats
- Regulatory Issues
- A Word About the Long Term: IPv6
- The Organizational Security Posture
- What Parts of Constant Vigilance Should I Outsource?
- What to Keep
- Who to Seek
- You Have Just Charted a Course: Let's Set Sail
The Organizational Security Posture
Within this chapter, you have seen how keeping tabs on threats, countermeasures, regulations, and technology creates an effective virtuous circle of awareness. To maintain this posture, your IT team must stay current and aware by having a keen grasp on what's out there, and communicating it to business owners in a clear, business-relevant manner.
Having your IT and global security teams scour the Internet for online tradeshows and conferences represents an easy-to-cull intelligence. They should also join key professional organizations such as the Information Assurance Advisory Council (IAAC.Org.UK) and begin immersing themselves in the constant-vigilance circle in person and virtually.
At times, it will be wise to send your teams to tradeshows in your country or region to see the latest innovations first hand. These gatherings showcase relevant tools for counteracting threats. Teams should approach them with a critical eye, looking past "brochureware" and custom testimonials and asking for the contact information of at least three CSO or CIO customers with whom they can talk who support the product. If they get the "If I told you, I would have to kill you" treatment, it is time to move on. The CSO and CIO community will talk and share with peersjust not in public.
As they become steeped in knowledge, create opportunities for raising constant-vigilance issues within your business owners' units. Host an after-work pizza gathering where everyone has a chance to shareand listento new threats, countermeasures, regulations, and technology that might affect each unit. This should roll into a formal audit process that occurs yearly and is figured into the following year's cycle of security planning.