This is my 2nd favorite picture to use in a presentation. (I'll talk about my favorite picture in a future post!) It shows a classic security failure... the use of an ineffective security control.
A gate, when used appropriately, is a time-tested security control that can be very effective. For instance, if we have a high gate or wall with an opening, a gate at that opening can prevent or control access. There can be guards posted at the gate to vet visitors. There can be some kind of key card reader which can both validate the visitor and raise the gate. There can be some kind of intercom and/or camera which is monitored at another location. You get the idea... there are two key components that make the gate work. One is an authentication mechanism (card, camera, guard), and one is the physical structure that forces one to use the gate.
Clearly the latter is what is missing in this picture.
We can look at our information security controls the same way. Let's start with policy... Are your policies and standards explicit? Which is easier at your organization... to comply with policy, or to work around policy to get work done?
Do you you have rules about how data can be used or transported? Do your rules take into account how people actually do their work? And if not followed are their consequences? Is it more costly to follow the policy or to circumvent the policy?
We can come up with example after example. But the real question is, do your security controls and practices consider the business need? Remember, business drives security, business drives IT. Make sure you are working closely with the business side of your organization.
How are you connecting with your business organization? Do your security controls and measures both support the business and protect the business? How do you know you have effective, useful controls?