SmartAdvice: Consider Hardware, Software, And User Education In Securing Your Networks
If you don't have the right skills to secure your networks in-house, run a security audit, then look for outside expertise, The Advisory Council says. Also, boost software quality with a formal application-development methodology.
Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers three questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to email@example.com
Question A: We don't have the skills to properly secure our network. What factors should we consider in selecting a managed security service provider?
Our advice: Since the consequences of not properly securing your network can be extremely costly to business, it is wise to take network security seriously. Recognizing that you don't have the necessary skills in-house is the first step toward securing the right resources. Ask about network security companies that other businesses had good experiences with. Don't skimp on your pre-qualification research--after all, you'll be entrusting your company's information to them, so you must feel comfortable that the vendor will deliver peace of mind. To minimize your vendor risk, look for a combination of good references, deep experience in securing network systems, and industry-recognized certifications.
Before committing to any system changes, hire a firm that specializes in security audits to make an assessment of your existing conditions. Choose an auditor with deep experience and solid references. Computer security has been a specialty for more than 10 years, so there are plenty of firms available with the expertise you need. For extra assurance, there are a number of reputable security certifications that will ensure that the person at least knows enough about computer security to pass the exams. The Certified Information Systems Security Professional certification is best known for being comprehensive, but there are others.
It's important to think about how much security you actually need. For example, if you're in the health-care industry, HIPAA requirements will mean that you'll need to concentrate on applications security in addition to the standard firewalls and antivirus software. Remember that computer security is a combination of hardware, software, and user education; you'll need to consider all three to create an effective security system. If you need specialized security expertise due to the nature of your industry or business, don't hesitate to confirm that the vendors you're considering have that expertise.
Once you've completed the audit and determined your real security needs, there are a number of approaches you can take to secure your networks. You have the choice of hiring an outside firm to manage all of your systems, or use an outside company to manage just your firewalls, so you can concentrate on strengthening your internal security. If you're already using a vendor for managing your desktop systems and servers, chances are they'll already have the expertise you need. If not, there are products on the market designed to help businesses secure their systems without the need for a deep knowledge of network security.
In conclusion, select computer security companies on the basis of a combination of security expertise, good customer references, and certifications. Perform a systems audit to determine existing conditions and your security requirements before making radical systems changes. From the audit information, you'll be able to implement an appropriate mix of systems to ensure your business against computer-security threats.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.