ORIX METRO“ Complementing that with the annual programme that we do and the weekly quizzes that we have is part of how you sustain awareness in the company.”
Security leaders have to balance making information security policies strong enough to protect against new threats while also keeping them practical and easy for employees to follow.
If a policy is too strict or complicated, employees will often find ways around it, especially if they need to work quickly. This can increase risk for the company. On the other hand, if a policy is too relaxed, it can give a false sense of security and leave important assets unprotected.
“ We have what we call in security a‘ compliance theatre’. It’ s where you have all of the policies on paper, but nobody really follows them. It’ s just there for compliance,” says Mathieu.
“ That’ s a big no-no. Your policies should be the main governance on how you do things, how you implement new solutions, how you maintain solutions and how you secure every individual facet of your business.
“ We align our security practices with ISO 27001 and the US federal government’ s information security standards. Why? Because it covers everything that ISO doesn’ t have. And I don’ t want to have gaps in my policies or in how we make sure they’ re followed.
“ It has to be easy to understand and it doesn’ t have to impede on all of your employees’ day-to-day tasks. That’ s how you secure the organisation while keeping your employees happy.”
14 orixmetro. com. ph