October 13, 2011, 8:02 AM —
by Ken Stasiak, SecureState - If it were just that easy: The devil sitting on one shoulder and an angel perched on the other, each offering up his/her advice on security trends. Well, after you read this blog post, you will have all the information you require on the topic, and will not need any ethereal guidance. I’ve assembled two lists: one of security trends you’d do well to avoid, the other of security trends you’d be wise to embrace.
3 acronyms to avoid
1. GRC (Governance, Risk, and Compliance)
I’m not sure if three more unlikely words have ever been linked together before. Governance, Risk, and Compliance (GRC) is defined by Wikipedia as "an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness."
Seems pretty straightforward: Let’s go do this. But what is this? How do we implement GRC? Thus lies the problem with GRC. Being touted as the next big thing everyone is talking about and presenting on, new GRC products are being developed that will implement and track GRC, but I would caution you against throwing GRC into the budget. I suggest a more thorough examination of GRC and its implementation be done before organizations jump on the GRC bandwagon.
2. DLP (Data Leakage Protection)
If your organization is considering a Data Leakage Protection (DLP) solution, first ask yourself one question: “What type of data are we attempting to stop from leaking?” While this seems like a very simple question, the answer is quite complex. Many organizations are looking to implement DLP solutions without having a defined data classification guide. Without the basic principles of what is considered sensitive, DLP will be just another technology for technology’s sake. DLP should be implemented only if your organization intends to monitor its classification guide. [Remember IDS/IPS and the lack of a good Incident Response Plan (IRP), and how much trouble we had with that technology?]
3. CIA (Confidentiality, Integrity, and Availability)