How to Spend a Dollar on Security

Computerworld - A shy, spiky-haired 24-year-old reputedly unleashes a global computer virus causing an estimated $10 billion in damages, paralyzing computers from the Pentagon to the Parliament. Hackers spend six weeks peering at Microsoft's network programming code for a new generation of Microsoft products. Legendary cracker Kevin Mitnick violates national security by entering a military computer.

If hackers can break into these digital Fort Knoxes, is anyone safe?

Well, that depends.

It depends on how well you secure your network but also on how you plan against attacks, how well you educate system users and many other factors -- most of which are reflected in your IT budget.

Businesses know money must be spent to secure their infrastructure. But how do organizations budget for security?

In order to help companies determine the best use of their resources, here's how to carve up a single dollar in a first-year security budget. This is a method that will work whether you're a Fortune 500 firm or a mom-and-pop e-commerce shop.



15 cents: Policy



Spend 15 cents on nailing down the organization's overall security policy. Ultimately, an effective security program may involve firewalls, perimeter security, vulnerability reduction, operating system hardening and other technical components. But these elements will remain fragmented without an overall, unifying strategy. A top-level security policy documents and explains security goals for everyone in the organization. As a clear management articulation of security strategy, it helps prevent communication breakdowns among corporate divisions.



40 cents: Awareness



Education and support generate the single biggest return on security investments. Even with perfect technology, employees can be talked into unwittingly helping a hacker.

Hackers view data as transparent when it travels via the Internet. But they're often more shrewd than they are technical geniuses. One digital sleuth described Kevin Mitnick as "technically dull." Yet he could hack into almost any system. Many Mitnick conquests, the sleuth pointed out, resulted from social engineering, imitating lineman's jargon, impersonating superiors and talking employees out of field manuals.

Twenty cents of this category should be used to advertise the security program to general users, who must modify their behavior. For example, they need to stop jotting passwords on yellow stickies and posting them on computer monitors in plain sight of cleaning crews.

Use the other 20 cents to educate IT professionals responsible for building a more secure system. They must keep abreast of new policies, standards and procedures, and they must be trained in building a secure infrastructure. Professionals require a steady flow of information, advice and resources, from both