The Changing Face of Information Security

Computerworld - Hacking, cracking, global worms and viruses, netspionage, social engineering, internal theft, employees with malicious intent, physical terrorism and cyberterrorism -- these are just some of the security challenges organizations face. All the ways we have allowed data to be shared have made undetected theft of sensitive information exponentially easier. While efforts to extend data to the edge of the organization for productivity's sake have succeeded beyond our expectations, attempts to secure that data have failed miserably.
We are starting to realize that information security is a process in support of the organization, requiring an understanding of the forces that drive business both internally and externally. A security program can be designed to effectively withstand business change only when the organization and the IT department work cooperatively.
Security Blunders
Organizations usually react to threats by implementing some new piece of defensive technology, but while that may appear to be the quick solution, it is often the last thing you should do. Technology without proper strategy and business value can actually leave you more vulnerable.
One publicly traded company redesigned and replaced its firewalls before it acquired another publicly traded company. The parent company was focused on shoring up its infrastructure, but it failed to concern itself with the new organization's environment prior to purchase.
In this case, the first dollar the purchased company transacted after the merger put the parent company at risk. All the parent company's security precautions were in vain, since it had not taken into consideration the security controls of the company it was acquiring. And the CEO and CFO were liable for all noncompliance issues in both companies.
Building a Compliant Organization
The introduction of mergers or mandates like the Sarbanes-Oxley Act complicate security, and organizations need to develop programs that take them into account. With compliance taking a big bite out of IT budgets, companies need to make sure that every dollar spent on technology gets them closer to their compliance goals. Business-driven, top-down strategies are far better than the typical ground-up approach of reacting to threats. Here are some tips for doing this right:

• Understand and fully interpret the governance and compliance issues you are faced with today. Realize that you may be subject to multiple mandates (Sarbanes-Oxley, HIPAA and California's SB 1386, for example) and that it's important to understand all of them before planning to address any single one.


• Employ an external organization to provide a baseline or "gap" study of your environment that includes reviewing your compliance drivers, understanding your security environment as it stands today and prioritizing recommendations. Engaging a contractor to do this sidesteps internal politics that could get in the way of exposing security gaps.


• Once a gap is identified, have a conversation with management about how IT will deliver process and technology to address the business issue of compliance. Get management buy-in.


• Create a compliance road map. Specifically address how best to solve each compliance problem through the chosen combination of technology, processes and documentation.


• Build incident detection, monitoring and response programs, realizing that the optimal security environment starts with a clean slate, not with the addition of more technology to an existing mess.


• Develop security awareness and training programs, then prepare all employees to understand their security responsibilities.