InformationWeek
Defining The Business Value Of Technology
|
August 21, 2000 |
 |
Viewpoint:
Put A Security Plan In Place First
Cogent programs are vital in mergers and acquisitions
By Jeff Johnson
male-female security consulting team recently conducted an on-site assessment for a large telecom company. After the team made brief visits to the restroom, the man asked his partner to look into the men's room.The female consultant peeked through the outer men's room door to see an open side door. It revealed the wiring closet not just for that floor, but for the entire 17-story building. With wires neatly labeled, she had easy access to the wiring of more than a dozen large regional companies.
This anecdote illustrates that while companies may spend millions on first-rate information security technology, step one in making a company secure is the creation of an overarching security program. The program needs to include internal awareness, policy, and governance--as well as technology. It must also modify the behavior of users. Without a well-supported security program in place, even perfect technology won't substantially lessen the risk. Companies also need the services of a security program architect--on staff or outside--to create a master plan that unites these elements.
The breadth of the program will depend on the company size as well as the value of its assets. Generally, a company with revenue approaching $100 million can expect to spend about $200,000 on developing a fairly comprehensive program, and $200,000 per year to maintain it.
Earlier this year, electronic break-ins at CD Universe and RealNames Corp. resulted in the public release of thousands of credit-card numbers over the Web. Denial-of-service hacking also heightened the public's awareness of security issues. Security breaches can damage a company's reputation by triggering significant financial losses as a result of downtime or shareholder lawsuits charging the business with lax security. The consequences of faulty security can be significant, as in the case of CD Universe.
Companies adopting best-practice programs should coordinate their initiatives with business operations and customer service. Security policy requires participation from top management and must not be relegated to the IT department alone. The program will work best when it's considered as a framework that unites the company so that it can establish priorities about policies, standards, and procedures; internal and external awareness and training; architecture; and organization and governance.
A cogent program is especially critical in a merger or acquisition environment. It should address issues such as E-mail systems, product sets, and networking in the newly conjoined companies. The security program should be thought of as a long-term process and not as a stationary goal.
Internally, the program will help eliminate the sticky notes containing user passwords that decorate a number of PCs--passwords accessible to the cleaning crew. The program helps foil such social engineering tricks as when the bogus employee from network operations calls for a password so he can run a quick test E-mail. Internal awareness should lead to regular checks of server logs and, yes, checks that doors are locked. A security program must reach customers who inadvertently threaten security by revealing passwords for their America Online, Yahoo, or trading accounts. Business partners also need to be aware of potential problems.
The most common mistake in security management is purchasing technology without a policy context. One of our consultants visited a Midwestern manufacturer that had sunk millions into a state-of-the-art intrusion-detection system. Yet, during the previous several months, the company hadn't routinely checked its firewall logs.
Security managers can easily fall prey to the technology silver-bullet syndrome. But technology isn't the problem; technology in isolation is. Eager companies could lose money by making financial commitments outside the enterprise-wide security program. Instead, companies should consider more measured approaches such as pilot programs or ramping-up techniques that involve the implementation of small-scale systems by different divisions. The company then compares these localized trials.
Companies often spend money to fix individual security problems without examining how a local solution fits into the big picture. CD Universe, for example, had firewalls in place but was penetrated because of a lack of effective standards and policies. Large companies have autonomous business units with a hodgepodge of noninteroperable systems that don't necessarily adhere to uniform compliance standards. As a result, without a master plan, they could end up less secure than before. The security program is a compass that ensures that everyone is traveling along this path in the same direction.
Jeff Johnson is president and CEO of METASeS, an Internet security firm in Atlanta. He can be reached at jeff.johnson@metagroup.com
Back to the Columnists page
Back to This Week's Issue
Send Us Your Feedback
Top of the Page
ACCO Brands Corp seeking Director of New Product Development in Lincolnshire, IL
Transportation Security Administration seeking Chief Information Officer in Arlington, VA
Hebrew SeniorLife seeking Business Systems Analyst in Boston, MA
Trilogy Leasing seeking General Manager in Cranbury, NJ
UVIMCO seeking Senior Information Technology Leader in Charlottesville, VA
For more great jobs, career-related news, features and services, please visit our Career Center.
Today's Top News
- Apple Drops Price Of MacBook Air
- Google Employees Warned Of Data Breach At Benefits Company
- 'Containers' Out Perform Virtualization For KV Pharmaceuticals
- Mobile Music A $7.3 Billion Industry By 2011
- IBM Develops Audio Masking Technology To Protect Call Center Recordings
- IBM Back On Top Of Server Market
