Right about now, CIOs are finalizing budgets for 2010, and one of the main issues will be how to prepare for the next security threat. This is always a challenge regardless of the year; it’s akin to looking into a crystal ball and trying to counter some ill-defined potential adversary that is largely out of an organization’s direct control.
However, that is most likely not where a company’s biggest vulnerability lies. For all the tools and solutions won’t matter if the people in charge of implementing and monitoring those systems don’t have the resources to manage them.
While this may appear odd coming from the head of a product manufacturer, I’m a firm believer that a robust security posture can only be delivered if there are good people in place to make it happen. This is not unlike other business operations, such as offshore software development or outsourced product fulfillment, where long-standing benefits of such initiatives are not realized without oversight and monitoring authority.
Herein lies the dilemma for many companies. Budget debates must focus not just on implementing firewalls, email gateways and unified threat management offerings, but also on the individuals and resources needed to set overarching policies and management procedures – the absence of which will mean all the money spent keeping up with the latest tools and systems will be fruitless.
So while I’m obviously not proposing that security solutions aren’t essential to keep networks running optimally while protecting sensitive and confidential corporate data, I do submit that such systems should not be procured and installed at the expense of getting the right person with the right equipment in place to monitor and respond to evolving issues in accordance with a well established corporate IT policy.
Moreover, companies should incorporate a cross-training program so more than one individual can perform such supervisory roles. Vacations, sick-days and natural turnover of staff members will require redundancy in management in the same way that CIOs expect from their technology. That’s because things that can go wrong not only will, but usually do when the main person is out of the office and unreachable.
Companies that successfully thwart a cyberattack will possess a well integrated combination of the right tools with the right decision makers. No single algorithm or detection system will be enough, if staff members are not given the training and tools to do their job. Make no mistake – people have and always will matter if organizations are to maintain a robust security posture.
Max Huang is the founder and CEO of O2Security, a wholly-owned subsidiary company of O2Micro. The company is a manufacturer and marketer of network security appliances, management tools and disaster recovery offerings for small- to medium-businesses, as well as remote/branch offices, large enterprises and service providers. Huang can be reached at email@example.com.