Security Adviser: You Can Manage Proactively Or You Can Pay The Price
The key to sound security strategy is a risk-management methodology that factors in critical financial, operational, and organizational metrics. Here's an overview of what works and what doesn't.
Lovegate, Kibuv, and Bobax may sound like the unfortunate names for new generic drugs. Instead, they're among the most recent worms to be discovered, all three within a few days of each other. How do you respond to the latest threats, and deal with burgeoning security issues more broadly?
Clearly, you can decide to pour more money into the problem and select from a dizzying array of new security technology, or just augment your Purple Pill regimen, both of which are less than appealing. There is a better option: Building a sound risk-management methodology that limits your liability--and indigestion.
Obviously, there's no limit to what you can spend on security; just ask the U.S. government. Certainly there's no shortage of available technology. However, unless a company has a robust risk management and security model, costs--and problems--can spiral. It may invest money in the wrong products, have unrealistic expectations of its IT staff and spend far too much of its time and resources complying with regulatory requirements. In a worst case, IT security runs the risk of being the No. 1 barrier to new business initiatives.
Right now, the idea of developing an economical risk-management strategy is probably making you reach for the medicine cabinet. You may think about turning to your traditional accounting and consulting firm. Before taking that or any step, however, you have to accept a number of security truisms, namely:
Your security degrades on a daily basis
Your security needs are dynamic and must change as your business priorities change
Security, risk strategies, and loss-minimization policies have to work hand in hand.
Accounting and consulting firms don't work because security is a daily monitoring requirement. Using such firms to perform periodic audits is like driving a school bus down a major highway using the rear-view mirror. An after-the-fact review of your security vulnerabilities is a wonderful blame-assigning strategy, but it does nothing for keeping customers happy and regulators satisfied.
Further, accounting and consulting firms' methodologies primarily change in response to their business needs, not yours. The result is either a security template that doesn't take into account your unique business processes or a very expensive consulting project that once again is only a snapshot in time. Regardless of what's in your security framework, the most important requirement is that you can easily alter it when new threats and vulnerabilities emerge. If you can't alter your methodology, it becomes a straitjacket that impedes new business initiatives.
Accounting firms also don't work because they typically demand that you retrofit security requirements to existing operations. Instead of rigid, "after-the-fact" audits, IT operational staff require an accessible framework that can be built into project and policy planning. This will allow you to hit the sweet spot of attack prevention (using cutting-edge technology) and loss minimization (based on proper business practices and safeguards).
Rather than hiring a traditional accounting or consulting firm, what's needed is a state-of-the-art risk-management methodology. There are six crucial factors in building such a methodology:
It must be equally useful to both internal IT resources and outside security consultants
It must be capable of allowing IT staff to lower regulatory compliance costs
It must be independent from your loss-prevention policies but, at the same time, allow for a unified financial view of security
It must allow for--and define how--results can be verified
It should be independent of security technology vendors
It should provide a quantitative risk assessment in two parts: justified risk (inherent risk of doing business), and actual risk (current vulnerability of your systems.
In the end, you have basically three choices: Hand over responsibility to your old-line consulting firm, making security, at best, a black box, and at worst, a black hole for consultant expenditure; keep popping the purple pills; or make sure your risk-management methodology meets the six crucial tests for being "state of the art," and, thereby, tie security spending directly to stronger financial performance.
The choice seems clear. In our next column, we'll provide a road map for how to build this methodology from inside your company.
Scott McCready is president of CIOview Corp., the industry-standard provider of IT analysis software used by the Fortune 2000 to make better IT purchase decisions. He has more than 20 years experience in management and technology consulting, and is a specialist in determining the business value of technology investments. His expertise spans finance and technology, including enterprise infrastructure decisions, security, server optimization and complex systems configuration. CIOview is a trusted provider of ROI and total cost of ownership software to worldwide corporations and IT vendors including IBM, Intel, and Microsoft.
To discuss this column with other readers, please visit the Talk Shop.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.