|Home - Industry Article - Apr 06 Issue
Corporate IT Security Resources are Wasted!
By Al Payne and Jim Litchko, Internet Security Experts
Thirty percent of IT Security resources are wasted, because of the inappropriate approaches that are used to review a corporation's IT security needs and the misunderstanding of the roles and responsibilities for each of the key players: executives, IT managers and IT security professionals.
Effective IT security programs are achieved when the IT manager is open, honest, motivated and realistic about the IT security status. This begins with conducting a practical system security assessment and ends with providing adequate safeguard options to reduce risk to an acceptable level for the business.
All too often, IT program managers are fearful of what security problems they will uncover, because they believe finding vulnerabilities reflects negatively on their work or it creates one more thing that they will have to correct on a long list of actions items. The supporting IT security professionals, either on staff or consultants, are typically very enthusiastic about finding vulnerabilities and recommending the ultimate (most secure, complex, technical and expensive) security solutions. The IT program manager finds no practical support from them resulting in a non-cooperative relationship between them. This further exasperates the problem.
This is where management and leadership must step in to set expectations by defining responsibilities and establishing a new approach for reviewing IT security.
First, executive management must first ensure that all the players understand what their IT security roles and responsibilities are in providing security:
Knowing that the final decision on what level risk is successful is key to motivating the manager to demand a risk assessment. This one action will remove the IT manager's and security professional's frustration related to their feeling responsible for ensuring that their system must be 100% secure and that any security breach "outside of the acceptable risk perimeter" is their fault.
- The on staff security professionals, who are sometimes responsible for implementing, testing and monitoring the security of the systems, identifying any outstanding vulnerabilities in the system, and providing multiple safeguard recommendations for reducing the security risks to the system to an acceptable level.
- IT managers are responsible for understanding the security vulnerabilities impact on the business operations, provide a concise non-technical presentation with multiple solutions to management, and making a business/system based recommendation to management.
- Executive management are the only persons who can be responsible for determining "what is the acceptable business or mission based risk level that will be acceptable ", not the IT manager or the security professionals, and make the final decision on the security solution to be deployed.
- The IT manager and security professionals will implement the final decision.
Second, executive management must also establish the procedure that the IT manager will offer multiple options, technical and non-technical, when presenting an IT security concern. The IT manager must also provide supporting business impact analysis so that the executives can make clear, realistic and cost-effective decisions. Requiring these two actions will help to eliminate the executives sitting through long, frustrating, complex, non-comprehensible, technical discussions that end with one expensive, "do it or die" solution.
Establish the Right Approach
Having established these responsibilities and procedures, the IT managers and security professionals must be re-oriented to approaching security from a business perspective. Why is this important?
There are three approaches that managers and security professionals use to approach IT security.
These approaches are:
The first two approaches lead to inefficiencies and frustration. Our experience shows that the business approach is the most effective method to implementing acceptable business-based risk levels.
- The Secure It approach
- The Technology approach and
- The Business approach