The second important area is policy. It amazes me how many organizations still don't have a competent security policy. Today's networks are very complicated. There is no way, in an organization of just about any size, that we can get our arms around securing the network without some roadmaps. Those roadmaps are policies.
The final area is tools. If the organization does not have strong awareness at all levels, and appropriate policies from which to derive such things as access control, need-to-know versus need-to-share, etc., your security tools set won't help you much.
Unfortunately, today's cost is higher than ever. It's high if we implement the three security areas and it's even higher if we don't. And the cost goes beyond the costs of security. In today's regulatory environment it goes straight to the responsible individual -- the boss. In a post-Enron world, the cost paid to be the boss could be heavy personal fines and jail time.
As it happens, there are minimal hard costs associated with awareness and policy. Our challenge, of course, is getting that point across. We often get lip service without real support, and we often see the "check-in-the-box" syndrome.
In check-in-the-box, the organization undergoes the minimum preparation for an audit. The idea is: if all the boxes on the audit checklist are ticked off, there is no upstream liability. I saw an egregious example of that recently where a colleague was lured into a high-paying job just long enough to produce the Sarbanes-Oxley documentation the company needed. This is about as short-sighted as I can imagine. What happens if the worst occurs and, as a result of shoddy security -- whether it passes the audit or not -- huge and expensive data loss occurs?
It's all part of the cost. And regardless of who pays it, pay it we must. So, as we take our security awareness message to management, perhaps it really should be a message of paying the cost to stay the boss. It certainly is the message we need to deliver to mahogany row.
Peter Stephenson is an adjunct professor and associate program director in the Master of Science in Information Assurance program at Norwich University.