A thought that occasionally comes back to me is at what point does the size of a company create challenges that are not - or perhaps cannot be addressed? Where is the sweet spot between too small to actually do security well and too big to have a handle on what is happening at any given moment?
In the small/medium space (say < 250 full time employees) where I have lived most of my cubicle dwelling life there has been understanding/support of some of the security basics such as antivirus/antispyware, firewalls, email & Internet filtering, OS patching, but beyond that it is hard to justify and get buy-in for the budget dollars needed to take things to the next level of maturity. Between the cost of some of the better solutions for IDS/IPS and SIM/SEM/SIEM plus the need for IT staff time/expertise to monitor as well as understand what requires attention and what is just noise is a tall order.
On the ginormous side of the world, how do large global companies address bureaucracy/enormity/complexity with 10,000 plus employees? Thinking about how to manage or even get my puny mind around tackling InfoSec at that scale/scope makes me dizzy.
I have no answers on this topic, only more questions.
Image courtesy of Wikipedia article on Complexity Science:
http://en.wikipedia.org/wiki/Complexity
&
http://www.art-sciencefactory.com/complexity-map_feb09.html
(Very cool t-shirts here.)
No comments:
Post a Comment