Everyone was certainly paying attention. An awkward silence fell over them, followed by expressions of disbelief that our employees could be engaged in such risky behavior. But the data could not be ignored, and the value of the tool that had made the behavior visible for the first time was clear to all.
This was my chance to jump into my top findings and recommendations. I strongly advocated tightening up the corporate network by segmenting into security zones, restricting the use of and access to risky applications, and obtaining visibility into threats to our company. That last point was a thinly veiled plea for the funds to purchase a tool that would give us the kind of monitoring we had seen with our Palo Alto proof of concept.
I also recommended arming our PCs with a more advanced endpoint detection capability, tighter group policy and full disk encryption. Finally, I reinforced my belief that technology isn't the whole story by arguing that changing behavior is essential if we are to avoid falling victim to the types of security breaches we have seen in the news within the past several years. In other words, we need to implement an enterprise-grade security awareness and training program.
So I have made my arguments and presented my concerns. I hope it gets us on the road to better security.
Sign up for CIO Asia eNewsletters.