|Home - Industry Article - Apr 06 Issue
Corporate IT Security Resources are Wasted!
continued... page 2
Why are the Other Two Approaches Less Effective?
The Secure It approach is where the goal is to build a 100% secure system. This approach is often accepted by "risk adverse", "risk avoidance" managers, who are easily persuaded by FUD (Fear, Uncertainty and Doubt) justifications or scare tactics from vendors or consultants. This is also an unaffordable and unachievable goal. The FUD approach is often very expensive and the 100% goal is unrealistic and businesses can never afford a system that is never 100% secure.
The Technology approach's goal is to prevent attacks on a system using technical solutions (i.e., firewalls, encryption, intrusion detection, authentication tokens, etc.). Security justifications, using technical terms and complex explanations (i.e., SSL, Cracker, DDOS, VPN, IDS, PKI, etc.), rarely provide management with a clear understanding of the problem and their options, making if very difficult for them to make an effective security decision.
After supporting over 150 security assessments on systems that have used these approaches, we have identified the following truths:
A Business Approach
The best approach is from a Business perspective where the goal of security is to meet an organization's business goals and objectives. This approach starts with knowing the organization's business goals, operations, information flow, and users.
- A 100% secure system is not affordable, nor will it meet operational requirements, or be user acceptable
- Using the best, complex and strongest security solutions can kill a business faster then any hacker, insider, virus, worm, or terrorist
- The most successful system security programs are 10-30% technology to augment the traditional security solutions (policy, procedures, physical, personnel, etc.)
- Securing any system without understanding the organization's business model, operations and the users" culture, capabilities and expectations will negatively impact the corporation's profitability. It will also result in dollars being spent on ineffective safeguards.
Business is about meeting the goals and objectives of the organization. What is the business of the organization? Examples might be: providing services, distributing information, selling and shipping products, reserving transportation or properties, etc.
The Business approach allows anyone to gather the security information without asking a single intimidating security question. This makes the security assessment a more cooperative effort for corporate personnel. It also allows for everyone to understand why the system is there, how it operates, what elements are critical, and why security is required. Examples:
Operations are about how they accomplish the goals and objectives and with what structure. Some examples might be: interfacing with banks, shipping products, communicating with partners and employees, advertising products and services, etc.
Information Flow is important because: it explains how things are controlled; how people receive the information they need to take actions and/or make decisions; what is sensitive and what is public; how fast information has to move; etc.
Users' expectations, culture, environment and capabilities (knowledge and capabilities - computer and network connections) are critical to determining what security solutions will be most effective for a system. Would an accountant and researcher accept the same authentication solution? What personal information is considered sensitive to individuals filling out the forms? What would be the result if an online store required the buyers have a smart card to conduct a transaction? Do they understand why security is important to the business?
The computer providing the corporate homepage only needs integrity protection to protect it from unauthorized changes. Whereas, the system selling products must protect customer information, so it requires confidentiality, integrity, and authentication.
The Business approach will also give the system manager an understanding of the business, business terminology, motivations and justifications. The manager will then be able to explain the need for security in business operations" terms to senior management.
The system providing forms can be down for days, but the system coordinating harvested organs transfers must be available 24/7.
Finally, it will allow senior management to understand how the system's residual security risks and deviations from standards need to be corrected or are acceptable for business and operational reasons. This also allows management to make cost effective decisions related to corporate security.
Identifying each individual's responsibilities and basing IT security on business needs are the keys to effective IT security and to reducing frustrations at all levels of the organization.
Al Payne, CISSP, has 30 years of IT experience including nine years in security. He is a Certified Information Systems Security Professional (CISSP), has been a business owner, executive, operational manager, strategic advisor for business, and is an entrepreneur whose business plans have secured millions in business capital. He is also senior computer security consultant for Certification & Accreditation, Risk Assessments, Plan of Action and Milestones (POA&M), and co-author of "KNOW Cyber Risk". For article feedback, contact Al at firstname.lastname@example.org.
Jim Litchko, CAS, is Founder and President of Litchko & Associates, Inc., which provides proactive, innovative approaches for industry and government managers and executives to secure their IT systems. He has 30 years of security experience, including five years at the National Security Agency (NSA), has conducted over 100 security assessments, and worked as an executive at three IT security companies. Since 1988, he has been an adjunct professor at Johns Hopkins University and taught courses at many professional security institutions. Jim is also a professional member of the National Speakers" Association and the author of "KNOW Your Life and KNOW IT Security". For article feedback, contact Jim at email@example.com