Security Adviser: You Can Manage Proactively Or You Can Pay The Price - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:12 AM

Security Adviser: You Can Manage Proactively Or You Can Pay The Price

The key to sound security strategy is a risk-management methodology that factors in critical financial, operational, and organizational metrics. Here's an overview of what works and what doesn't.

Lovegate, Kibuv, and Bobax may sound like the unfortunate names for new generic drugs. Instead, they're among the most recent worms to be discovered, all three within a few days of each other. How do you respond to the latest threats, and deal with burgeoning security issues more broadly?

Clearly, you can decide to pour more money into the problem and select from a dizzying array of new security technology, or just augment your Purple Pill regimen, both of which are less than appealing. There is a better option: Building a sound risk-management methodology that limits your liability--and indigestion.

Obviously, there's no limit to what you can spend on security; just ask the U.S. government. Certainly there's no shortage of available technology. However, unless a company has a robust risk management and security model, costs--and problems--can spiral. It may invest money in the wrong products, have unrealistic expectations of its IT staff and spend far too much of its time and resources complying with regulatory requirements. In a worst case, IT security runs the risk of being the No. 1 barrier to new business initiatives.

Right now, the idea of developing an economical risk-management strategy is probably making you reach for the medicine cabinet. You may think about turning to your traditional accounting and consulting firm. Before taking that or any step, however, you have to accept a number of security truisms, namely:

  • Your security degrades on a daily basis

  • Your security needs are dynamic and must change as your business priorities change

  • Security, risk strategies, and loss-minimization policies have to work hand in hand.

Accounting and consulting firms don't work because security is a daily monitoring requirement. Using such firms to perform periodic audits is like driving a school bus down a major highway using the rear-view mirror. An after-the-fact review of your security vulnerabilities is a wonderful blame-assigning strategy, but it does nothing for keeping customers happy and regulators satisfied.

Further, accounting and consulting firms' methodologies primarily change in response to their business needs, not yours. The result is either a security template that doesn't take into account your unique business processes or a very expensive consulting project that once again is only a snapshot in time. Regardless of what's in your security framework, the most important requirement is that you can easily alter it when new threats and vulnerabilities emerge. If you can't alter your methodology, it becomes a straitjacket that impedes new business initiatives.

Accounting firms also don't work because they typically demand that you retrofit security requirements to existing operations. Instead of rigid, "after-the-fact" audits, IT operational staff require an accessible framework that can be built into project and policy planning. This will allow you to hit the sweet spot of attack prevention (using cutting-edge technology) and loss minimization (based on proper business practices and safeguards).

Managing Risk
Rather than hiring a traditional accounting or consulting firm, what's needed is a state-of-the-art risk-management methodology. There are six crucial factors in building such a methodology:

  • It must be equally useful to both internal IT resources and outside security consultants

  • It must be capable of allowing IT staff to lower regulatory compliance costs

  • It must be independent from your loss-prevention policies but, at the same time, allow for a unified financial view of security

  • It must allow for--and define how--results can be verified

  • It should be independent of security technology vendors

  • It should provide a quantitative risk assessment in two parts: justified risk (inherent risk of doing business), and actual risk (current vulnerability of your systems.

In the end, you have basically three choices: Hand over responsibility to your old-line consulting firm, making security, at best, a black box, and at worst, a black hole for consultant expenditure; keep popping the purple pills; or make sure your risk-management methodology meets the six crucial tests for being "state of the art," and, thereby, tie security spending directly to stronger financial performance.

The choice seems clear. In our next column, we'll provide a road map for how to build this methodology from inside your company.

Scott McCready is president of CIOview Corp., the industry-standard provider of IT analysis software used by the Fortune 2000 to make better IT purchase decisions. He has more than 20 years experience in management and technology consulting, and is a specialist in determining the business value of technology investments. His expertise spans finance and technology, including enterprise infrastructure decisions, security, server optimization and complex systems configuration. CIOview is a trusted provider of ROI and total cost of ownership software to worldwide corporations and IT vendors including IBM, Intel, and Microsoft.

To discuss this column with other readers, please visit the Talk Shop.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll