My colleague Frank Hayes says that "security is the new Y2k" . And he's right: IT security is in a state of crisis on both the vendor and user sides and needs a full-scale remediation effort. But security doesn't have the immovable deadline that was so good at focusing everyone's attention on the Y2k problem and breaking through the usual logjams. Lacking a natural deadline, maybe the pressure for remediation will come from security audits by the federal government, as predicted by futurist Thornton May.
Short of federal audits, the pressure will have to come from corporate CEOs. Unfortunately, like Y2k, security doesn't have a clear-cut ROI. So, how are we going to get the CEO's financial support for major investments in IT security and disaster recovery? I suggest asking your CEO three simple questions:
- How will the board react if Russian hackers steal $10 million from our accounts? (It happened to Citibank in 1994.)
- How will we stay in business if employees can't get into the headquarters building because it's been cordoned off due to an anthrax scare?
- How will it look on Wall Street if we're hit with a "security malpractice" lawsuit because we failed to close security holes that were widely known?
For starters, let's do the easy stuff. GartnerG2 predicts that 90% of cyberattacks will exploit known security flaws for which a patch is available or a solution known. That's why one of the tasks on the to-do list in this special report is patch management. We also suggest assembling a SWAT team to handle security incidents and distributing IT resources for better disaster recovery.
We can help set the agenda and provide implementation tips, but you'll have to get the CEO to open his checkbook yourself.
Mitch Betts (mitch_betts@computerworld.com) is director of Computerworld's Knowledge Centers.
The Security Action Plan
Stories in this report:
- The Security Action Plan
- The Story So Far: IT Security and Disaster Recovery
- Maximum Security Returns
- Manage Those Patches!
- Build a Computer Incident Response Team
- Let the Pros Investigate Computer Crimes
- Watch Out for Wireless Rogues
- For Disaster Recovery, Put Your IT Eggs in Different Baskets
- Denying Network Service
- Think Like a Terrorist
- Field Report: Out from the Shadows
- How to Thrive in the IT Security Market
- The Next Chapter: Predictions about IT security
- IBM's view of the hot trends in IT security
- Case studies in IT security and disaster recovery
- Intrusion-detection systems are evolving
- Reporter's Notebook: IT Security
- Top 10 Vulnerabilities in Today's Wi-Fi Networks