The move couldn't come at a more appropriate time, especially given the recent Wall Street Journal report that cited internet attacks against specific, mission-critical defense programs, as well as the U.S. electric grid, are growing in numbers and sophistication. The danger is real and, what's more, is not merely limited to national security targets.
Companies of all shapes and sizes suffer from similar attacks and deal with these same issues every day. While no one typically dies from such actions, compromised information networks can put an organization's very life in jeopardy. What's more, the threats are as varied and as numerous as any terrorist operation. Swift action is required. Here are three ways that firms can take the lead of recent U.S. government actions:
1. Give it its due
Talk is cheap and security policies are only as good as their execution. Due care and monitoring is in order. The risks and liability are too good otherwise. What that means is that not only do CIOs and CTOs need to be involved in setting and implementing cybersecurity programs, but so should the rest of the executive team and, for that matter, all employees.
2. Set priorities
Oftentimes, the biggest reason security policies and practices fail is in their approach to solve all the problems at once. Doing so can stretch resources too thin to be effective. The key is to set priorities as a function of the level of risk to the organization, as well as the company's ability to scale. A periodic reassessment is also a wise move. Cyberthreats are continually evolving, and so should a firm's network security posture.
3. Coordinate efforts
While security IT folks are the natural choice to lead efforts, they will by no means be the only ones involved. The ideal situation would be for all departments to have a designated representative coordinate efforts within and outside their area. Herein lies the challenge for any company – policies and practices will often transcend areas of responsibilities for individuals and managers, and failure to make security practices seamless across these lines will create vulnerabilities that hackers seek to exploit.
Taking it a step further
If nothing else, the recent move by President Obama and the Defense Department is a strong reminder of the importance of companies giving network security its due resources and concern. But simply creating a Chief Security Officer or IT Security Czar position is not enough. Organizations must set up a robust infrastructure that can meet the following criteria:
- Flexible – Companies need to make sure their security products and network infrastructures are robust while also easy to implement. If set up times are extensive, such systems could be obsolete before they're up and running.
- Scalable – An organization's IT security system must also be able to grow when the company does. If not, time and money will surely be wasted.
- Cost effective – Maximizing the return on IT investment is important, and that means companies must do their homework to identify systems and solutions that are right for their environment, and not necessarily default only to the vendors that are better known.
- Support – Regardless of solution, organizations must make sure their partner provides subject matter experts and product specialists that can get them and their team over issues in rapid fashion.
Keep this in mind: If nothing else, companies and government organizations are just as much at risk for attacks. Though they may stem from different groups for different reasons, the impacts can be just as damaging.
Max Huang is the founder and president of O2Security, a wholly-owned subsidiary company of O2Micro. Max can be reached at firstname.lastname@example.org.