Buying the latest tools to secure your assets is not the way forward. A structured plan for your infosec is vital, says Illena Armstrong.
There are numerous enterprise executives who could probably relate to compulsive shoppers renowned for throwing away money on needless things.
Just like insatiable shopaholics, scores of organizations buy up security technologies that are either unnecessary or, worse yet, essential but remain unwrapped from their boxes because pressured buyers have no game plan to follow.
Rather than establish and continually adapt a holistic security program with a view of the entire enterprise, far too many companies remain guilty of relying on the latest and greatest tools to save the day, say experts.
"Wild adoption of technology ahead of understanding" remains the number one mistake made by enterprises today when attempting to secure their IT assets," says J. F. Mergen, chief scientist with Verizon Federal Network Systems.
Because of this "incredible desire to throw iron at the problem, we're winding up with complex systems that are no longer understandable by the people managing them," he adds.
Luckily, however, there are some organizations that are trying to set examples for their peers by accounting for the people, processes and, finally,
the technologies that comprise a good IT security program which scales with company growth spurts.
However, there are too few examples of these, with most corporate leaders trapped in a way of thinking that leaves enterprise-wide security planning as a mere afterthought.
Overcoming trials of the day
"As you know, [most companies] are constantly challenged with how to proactively manage risk in an ever-changing technology environment, threat landscape and the like. When you're looking at needing to proactively manage risk from a holistic, enterprise-wide perspective it can be a daunting task... especially when you're dealing with multinational organizations with very distributed IT infrastructures... [and] personnel," says Steve Buerle, security practice director at Unisys' security practice in North America.
The task is no less difficult during a time when there is little money available to create a program with an end goal of prevention – a concept that adds little to the bottom line in an immediate and obvious way.
With no evident return on the investment required to forge and maintain an enterprise-wide security program, the job of planning and managing infosecurity effectively takes second chair to all those corporate expenditures that are seen as more helpful in boosting revenue streams.
"Organizationally, companies just haven't approached security investments as that – an investment," says Chris Smith, senior director of security products with NetIQ.
"It's almost a maturity thing... companies just haven't drawn a clear connection between the ability to do business, like performance and availability reasons, and security investments. And because of that, there hasn't been a tangible ROI attached to security investments, so it just doesn't get the attention or the budget that a lot of the traditional system management stuff does."
Still, creating a plan with the goal of helping an organization to manage its infosecurity more effectively will probably enable it to leverage many of the technologies and processes it might already have in place. Not only will an enterprise-wide security program aid organizations to keep their businesses up and running, but it might also cut their operational costs and prevent willy-nilly expenditures on the newest IT security tool.
So the return on investment in security planning, while it might not be blatantly obvious, is there.
"I think in terms of ROI, the 'R' tends to come from a couple things," comments Todd Tucker, senior product marketing manager with NetIQ.
"One is simply reducing the cost of some process – a security process, or something like the cost of calls to the help desk. But the second thing is always risk reduction. The problem with it is that, because very few organizations maintain a reactive level of security, they don't properly measure risk as part of routine business."
From the beginning
What's more, constantly measuring a company's risk and the effectiveness of the steps it is taking to counteract those risks is a main component of any good security program.
To establish a holistic infosec plan that will both mitigate risks and reduce their operational costs at the same time, companies should begin with their assets, explains Unisys' Buerle.
It is difficult to understand just what a business needs in the way of a security plan if it fails to understand what it is trying to protect. Before even involving all those people and tools, it is important to figure out the criticality of the various components of the IT infrastructure by developing an asset classification model, he continues.
Complying with regulations
As part of this first step, NetIQ's Tucker suggests also taking a look at any of the government regulations and standards to which the company must comply. These might include GLBA for the financial market, HIPAA for health care, and many others.
Additionally, using standards such as ISO 17799 may also be helpful in providing a guideline to the sorts of processes that should be included in a security program. The frequent audits that companies are undertaking will also help to reveal their IT weaknesses and the moves they need to make to remove them.
In looking at both industry and fiduciary requirements, executives can then delve into what they expect to get out of the security program, gaining some inkling as to what they are attempting to protect and what risks they are hoping to protect against, comments Verizon's Mergen.
At this stage, says NetIQ's Tucker, a risk assessment must be conducted. Subsequent assessments should be undertaken no less than every year, and more regularly to be effective, he adds – such as every three to six months, if not more frequently.
Additionally, risk assessments offer much needed insight when performed in association with any business-application deployment or other business initiative.
Ultimately, how often a company assesses its vulnerabilities depends on the nature of its overall risk posture and how frequently it changes its infrastructure, adds NetIQ's Smith.
By taking inventories, prioritizing assets and identifying the company's current risk posture, planners can move on to devising a threat model that will enable them to better understand who might compromise the infrastructure, why and how, says Unisys' Buerle. Baselining both the assets and threats first helps a company to develop a policy and set up associated operations.
According to Doug Barein, senior director of security consulting services with Guardent, this means trying to understand where business and security intersect – that is, evaluating business risk as it relates to information security, so that business processes and controls, along with measurements of the program's effectiveness, are established and followed.
"Security needs to be located on the organizational chart... in a position where it has authority," he says, which is why support from other business departments and corporate leaders is so critical.
William Woloszyn, director of privacy and security at Integris Health, a non-profit healthcare organization, found such support integral. Located in Oklahoma, with some 8,500 employees, Woloszyn said that creating a culture of security has helped his organization to embrace infosec as an ongoing practice, not a simple line item purchase.
"My general thinking is that security is really a process, a journey," says Woloszyn. "What is secure today is probably in doubt tomorrow."
This is why he believes that establishing and maintaining relationships with other business units within the company is just as important as analyzing the corporate environment and prioritizing what is important within it. Creating a security charter that explains why infosec is a priority for the organization and how employees will be involved in upholding the charter is critical. Policies and procedures must be maintained by the company and will only be as effective as the support given them by employees.
All the mandates put forth in those policies must be realistic and accurate. And the company must provide end-user training, adds Woloszyn, because lack of awareness on the part of the
end-users will often lead to the circumvention of any tools put in place. Policies and processes supporting security should not operate in a vacuum. Infosec extends across the business, so the right people from various units must be involved from the start.
Get it right first time
Getting policy right the first time around means ensuring that compliance, understanding and communication are a part of its development, explains Verizon's Mergen. The policy should let everyone fully understand their obligations to the company and why these obligations exist.
After this, when moving on to the technology, company leaders must be sure that the architecture is understandable to the people responsible for its management, and transparent to the organization's end-users.
Upper management must have a clear understanding from technology administrators of what the security architecture can and cannot do and what could happen to the company if it is hit by today's cyber attackers.
Thoroughly explaining to corporate leaders how the tools help, and giving examples of other businesses whose operations were damaged by a security breach, might help to push infosec into such a position of authority.
Viewing processes and tools
Buying point products is easy. Getting a handle on all the organization's IT security requirements, involving anything from policy development through to setting up step-by-step procedures for technology deployment, is a bit more difficult, believes Andy Toner, senior partner with PricewaterhouseCoopers' security practice.
Nevertheless there are signs that corporations are trying to address infosec issues enterprise-wide, linking all the fundamental, tactical and strategic steps necessary to the execution of a holistic program. Despite the signs, most organizations are still focused on the technology, as opposed to bettering the environment on an on-going basis. Buying a tool still seems easier than taking all those steps, even if such haphazard purchases typically end up as a waste of money. "They look at the problem and get frozen," he says.
To avoid becoming overwhelmed with the process of developing a security program, James Mobley, president and CEO of @Stake, suggests looking at it in parts. Evaluating the intersection of technology with people, procedures and corporate assets will help company executives to understand the kinds of processes they must put in place.
For example, enterprises will be able to decide what rules should be included in corporate policies, how the security team should implement training and deploy any further security tools (or simply leverage what they already have in place), as well as conduct ongoing monitoring and assessment. And in the long run, companies will have the insight they need to make any necessary modifications to business strategies based on all that monitoring of their corporate procedures and practices.
Distilling infosec program development into operations, technology and organizational problems can make creating an enterprise-wide security plan a little less intimidating. What's more, focus will shift to the workings behind the tools, which are typically more important given that, as Mobley puts it, "so much of the damage is related to the processes."
He continues: "Technology in the hands of unskilled employees who don't know how to deploy it is not going to solve the problem. And even when you apply technology, the environment is changing so fast that the processes that you implement have to be consistent and tie to your own business model."
Illena Armstrong is U.S. and features editor for SC Magazine.
Security priorities Get the best from your security program
According to William Woloszyn, director of privacy and security for Integris Health, a large non-profit healthcare organization in Oklahoma, the top priorities for ensuring that organizations get the best out of their security program include: