企业安全可能会很复杂:构建安全意识文化
你的高管团队明白这一点。他们已经批准了预算,在董事会会议上提到了安全问题,也理解其中的风险。你不再需要在高层争取认可了。
但当你看看实际发生的情况时,情况却不容乐观。市场营销团队正在共享社交媒体账户的凭证。销售团队对多因素认证(MFA)表示反对,因为这会增加他们登录过程的时间。开发人员因为觉得这样更快捷而将API密钥存储在公共代码库中。远程员工在不安全的网络上工作,丝毫不在意。
高管们的承诺是存在的,但公司整体的行为却并非如此。而正是这种差距导致了安全漏洞的发生。
这就是让安全领导者夜不能寐的挑战。你得到了来自上层的授权,但将其转化为成千上万的日常决策,这些决策是由优先事项截然不同的人做出的,这完全是另一种游戏。
查看原文
Your executive team gets it. They've approved the budget, they mention security in board meetings, they understand the stakes. You're not fighting for recognition at the top anymore.<p>But then you look at what's actually happening three levels down. The marketing team is sharing credentials to social media accounts. Sales is pushing back on MFA because it adds seconds to their login process. Developers are storing API keys in public repositories because it's faster than the approved method. Remote employees are working from unsecured networks and don't think twice about it.<p>The executive commitment is there. The company-wide behavior isn't. And that gap is where breaches happen.<p>This is the challenge that keeps security leaders up at night. You have the mandate from above, but translating that into thousands of daily decisions made by people who have completely different priorities is a different game entirely.