Reviewing a security strategy is a major undertaking that will test a wide range of skills far beyond IT competencies.

In addition, companies are often uncertain about what actually needs securing within the organization. What needs protecting and from who? What questions should the organization ask, and what methodologies should be exploited when embarking on a security infrastructure revision?

Traditionally, IT security has stopped at the perimeter, but this is changing and businesses are starting to understand the impact of poor security on their ability to function. Buying security poses a very unique set of problems, as there is no direct financial benefit to the organization in the eyes of most financial officers. Security is an insurance policy and ensuring budgets are accepted involves research, planning, education and a certain amount of tenacity.

The importance of security has risen up the corporate agenda, but so have cost cutting and revenue maximization. Security's position on the agenda has largely been driven by the technology's place as an integral part of daily business life and the negative media coverage received by those that have fallen foul of problems. In the past, computers were used for internal tasks that did not directly impact the organization's ability to function. However, modern computer systems touch on every aspect of a business, tangible and intangible.

Asking the right questions

Before a company can begin to review IT security provisions, it must understand exactly what needs protecting and the risks the business is exposed to if insufficient provisions are put in place. Vulnerability and risk assessments are essential to expose areas of weakness and identify process and contingency failings with any number of disaster scenarios. This may not be a task that you are equipped to manage internally, so budgeting for this may be a prudent decision. Without risk assessment you will not be able to make cost-effective decisions further down the line.

It is no longer a case of simply protecting the computer system and ensuring users can access their email. What actually needs protecting? Start with the data and understand that this is the center of the organization and the point at which all information is stored and extracted. The value of this intellectual property increases with each day as it becomes more refined and continues to grow. Understanding how this property is dispersed across the organization is vital: How many offices are being protected? How geographically spread are they? Will there be a need to protect data on different architectures and platforms, such as Unix/Windows and wireless networks?

The U.K.'s new Data Protection Act clearly stipulates that the directors of an organization are directly responsible for any misappropriation of data held by the company, and are liable for prosecution. It is vital that you ensure the board is aware of this fact (or of the equivalent national legislation) during the security review process, as it may become an encouraging factor when seeking an appropriate budget.

In addition, security, or rather a lack of it, can affect less tangible business assets. Share prices are often affected by web-defacements or media coverage of hacked e-commerce sites. Customers will not shop with you if confidence in the safety of your web site is in question. Ultimately, an organization's reputation is key to its success, totally intangible and very hard to repair once damaged.

Designing a strategy

Of equal importance is understanding where the company's future lies. Although this may seem obvious, and is taken into account when preparing an umbrella IT strategy, the specific security implications of the corporate strategy can often be overlooked. It is highly likely that there will be new ventures, such as the increasing virtualization of the business through home working, or a planned expansion that will impact the way IT is being used within the organization. Having a clear understanding of corporate strategy is essential when designing a security strategy that will evolve over a number of years, rather than need replacing in two.

It is clear that understanding the reach security has within an organization is key to ensuring that all the relevant resources are utilized when beginning a security review. Once all the necessary background information has been collated, a true picture of the organization will emerge and the strategy required to meet future security needs will start to suggest itself.

Formulating the security review itself must not be restricted to a hardware/software shopping list. This is a common mistake, which can result in weak security provisions. A layered approach should be adopted when defining the details of the review. Firewalls and anti-virus software will always be an essential part of any security provision, but are not sufficient to constitute an effective security strategy within modern organizations. Layering security products will create a much deeper defense mechanism. For instance, techniques such as intrusion prevention software, biometrics, smartcards and swipe passes work in different ways and at different levels, so that combining them creates a much stronger security infrastructure.

A layered approach will involve looking at policy, hardware, software and education to ensure that an effective strategy is formed. When considering the areas to be reviewed it is important to bear in mind that the organization's security is only as strong as its weakest link.

The most difficult to control and often overlooked aspect of any security infrastructure is the human firewall. No matter how solid the defenses implemented, users will ultimately be the weakest link in the chain. Educating them on the implications of writing down passwords, or setting software to remember passwords is only part of the problem. This process of education must be ongoing and form an integral part of every new employee's induction and departure.

Educating users on the issues surrounding mobile computing is critical to protecting those elements of the corporate network that go out into the public domain every day. Laptops and PDAs hold a variety of information and provide access to email and other network resources. Even an opportunist thief could benefit from information stored in a poorly secured device. It is particularly difficult to enforce standardization and policy amongst PDA users, as they are usually the owners of the device. Because owners do not see the PDA as a computer, they are much more careless with them than they would be with a corporate laptop.

The next step

So having put a plan in place to educate the users on the importance of security, the next step is to take a good look at the expertise available in-house. It's very tempting, if resources are low, to look at a managed security service, but this should be considered with a great degree of caution. For trusted security, it is better for a company to keep the function in-house. Most people outsource security because of a lack of knowledge or resources within the company without really comprehending that they will still need to become involved at a certain level.

The really important thing to note when considering whether or not to outsource security is to appreciate that it does not remove responsibility from the outsourcer. Any business remains ultimately responsible for its security and protecting its information and assets. The one consideration should always be: which method will keep the business more secure?

Top ten questions to ask yourself when buying security

1. Do you know what you need to protect?
2. Do you know what you are protecting it from?
3. Have you completed a risk assessment?
4. Have you researched the legal obligations of your company?
5. Does your security strategy mirror your business strategy?
6. Have you considered the training implications for users?
7. Do you have appropriate skills and resource in-house to fulfill the
    project, or do you need outside help?
8. Have you planned for the use of mobile technology within the
    organization?
9. In-house or outsource. Have you thoroughly investigated all the
    options?
10. Unlike other IT projects you can't use ROI metrics to secure
    security budget. Have you got the right kind of evidence to
    support your case?

If you can answer all these with a 'yes' then you are ready to take your presentation to the board!
 
By the time you get to the stage of actually writing the security proposal that will be presented to the board, you will no doubt be buried in a deluge of information. Ensuring this is laid out in a clear and concise way is important, but the most important thing is to take time over writing the executive summary. Remember who the audience is: the board will not have the time or inclination to read a 50-page proposal containing misuse policies and disaster recover plans.

A key issue for any organization looking at extending or implementing security measures is always going to be budget. In the current economic climate, management teams and corporate boards generally require metrics, particularly return on investment (ROI) statistics. But when putting your proposal to the board, you must make them understand that it's futile trying to calculate ROI for security products. A thorough risk assessment should be the basis for any investment in security. When considering security spend, companies must think about the consequences of a security breach – the greater the harm that might result, the higher the security levels need to be.

Another important budgetary consideration is training. Will you need to train your staff in how to use new systems? Have you the expertise to do this in-house or will you need to use outside consultants? Don't forget the costs of training and educating the staff generally within the organization – will you need to run seminars, or produce guides to help them understand the issues?

Once you've looked into all these aspects, you should have a good idea of how your security policy is shaping up. You then get a clear indication of what needs protecting, which types of product you need and how to deploy them. Presenting this information in a clear and concise way will be the secret to securing project go-ahead. Take as much time on preparing documents and considering the audience as you did on research, if not more. The proposal document and any presentations are the sales collateral that will determine whether you are successful. Poorly thought out projects are often approved because of great proposals, but it rarely works the other way round.

Iain Franklin is European vice president of Entercept Security Technologies (www.entercept.com).