News
Commentary
6/21/2004
10:12 AM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Security Adviser: You Can Manage Proactively Or You Can Pay The Price

The key to sound security strategy is a risk-management methodology that factors in critical financial, operational, and organizational metrics. Here's an overview of what works and what doesn't.

Lovegate, Kibuv, and Bobax may sound like the unfortunate names for new generic drugs. Instead, they're among the most recent worms to be discovered, all three within a few days of each other. How do you respond to the latest threats, and deal with burgeoning security issues more broadly?

Clearly, you can decide to pour more money into the problem and select from a dizzying array of new security technology, or just augment your Purple Pill regimen, both of which are less than appealing. There is a better option: Building a sound risk-management methodology that limits your liability--and indigestion.

Obviously, there's no limit to what you can spend on security; just ask the U.S. government. Certainly there's no shortage of available technology. However, unless a company has a robust risk management and security model, costs--and problems--can spiral. It may invest money in the wrong products, have unrealistic expectations of its IT staff and spend far too much of its time and resources complying with regulatory requirements. In a worst case, IT security runs the risk of being the No. 1 barrier to new business initiatives.

Right now, the idea of developing an economical risk-management strategy is probably making you reach for the medicine cabinet. You may think about turning to your traditional accounting and consulting firm. Before taking that or any step, however, you have to accept a number of security truisms, namely:

  • Your security degrades on a daily basis


  • Your security needs are dynamic and must change as your business priorities change


  • Security, risk strategies, and loss-minimization policies have to work hand in hand.

Accounting and consulting firms don't work because security is a daily monitoring requirement. Using such firms to perform periodic audits is like driving a school bus down a major highway using the rear-view mirror. An after-the-fact review of your security vulnerabilities is a wonderful blame-assigning strategy, but it does nothing for keeping customers happy and regulators satisfied.

Further, accounting and consulting firms' methodologies primarily change in response to their business needs, not yours. The result is either a security template that doesn't take into account your unique business processes or a very expensive consulting project that once again is only a snapshot in time. Regardless of what's in your security framework, the most important requirement is that you can easily alter it when new threats and vulnerabilities emerge. If you can't alter your methodology, it becomes a straitjacket that impedes new business initiatives.

Accounting firms also don't work because they typically demand that you retrofit security requirements to existing operations. Instead of rigid, "after-the-fact" audits, IT operational staff require an accessible framework that can be built into project and policy planning. This will allow you to hit the sweet spot of attack prevention (using cutting-edge technology) and loss minimization (based on proper business practices and safeguards).

Managing Risk
Rather than hiring a traditional accounting or consulting firm, what's needed is a state-of-the-art risk-management methodology. There are six crucial factors in building such a methodology:

  • It must be equally useful to both internal IT resources and outside security consultants


  • It must be capable of allowing IT staff to lower regulatory compliance costs


  • It must be independent from your loss-prevention policies but, at the same time, allow for a unified financial view of security


  • It must allow for--and define how--results can be verified


  • It should be independent of security technology vendors


  • It should provide a quantitative risk assessment in two parts: justified risk (inherent risk of doing business), and actual risk (current vulnerability of your systems.

In the end, you have basically three choices: Hand over responsibility to your old-line consulting firm, making security, at best, a black box, and at worst, a black hole for consultant expenditure; keep popping the purple pills; or make sure your risk-management methodology meets the six crucial tests for being "state of the art," and, thereby, tie security spending directly to stronger financial performance.

The choice seems clear. In our next column, we'll provide a road map for how to build this methodology from inside your company.

Scott McCready is president of CIOview Corp., the industry-standard provider of IT analysis software used by the Fortune 2000 to make better IT purchase decisions. He has more than 20 years experience in management and technology consulting, and is a specialist in determining the business value of technology investments. His expertise spans finance and technology, including enterprise infrastructure decisions, security, server optimization and complex systems configuration. CIOview is a trusted provider of ROI and total cost of ownership software to worldwide corporations and IT vendors including IBM, Intel, and Microsoft.


To discuss this column with other readers, please visit the Talk Shop.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.