Avoiding the security trap

The prospects for IT spending in 2003 were already tight before the war in Iraq made mincemeat of last December's forecasts.

But despite the turn of current events, companies continue to treat IT security as a special spending category, one that's seemingly impervious to the lingering economic slowdown and the prospect of even more global uncertainty in the months ahead.

In fact, when it comes to equipping their companies with the latest and the greatest against future cyberattacks, IT managers are willing to open their wallets.

But while technology no doubt plays a major role in overall information security management and "defense in depth" security, the application of technology alone is no substitute for a comprehensive security strategy.

We've seen this technology overemphasis to the exclusion of other important considerations before.

During the 1990s, many companies rushed out and bought HP OpenView, IBM NetView or Cabletron Spectrum to get a graphical representation of the network topology and capture network events. But once these systems were in place, IT managers had no idea how to use these systems or interpret the data. The tools only became useful when IT departments defined supporting policies and processes and dedicated teams of operational experts for management and administration.

The same holds true of security. Companies are spending oodles of money on security technology, but tools are only beneficial if they work hand in hand with defined methodologies. I've had many conversations with Fortune 1,000 companies about their security practices, and here is what they would counsel:

Make security a corporate objective

The unfortunate truth is that security nerds within IT are viewed as nuisances who other employees routinely circumvent.

The unfortunate truth is that security nerds within IT are viewed as nuisances who other employees routinely circumvent. That's a mistake because companies that embrace security within their corporate cultures are far more likely to be successful. The process starts with a commitment from senior management to spread the word. It ends with a well-defined set of security and training policies where security is defined as a perpetual process that requires a constant review of procedures, vulnerabilities and preparedness.

Set up a real security team
Firms with a real knack for security appoint a chief security officer who reports to the CEO and is responsible for both physical and information security. As far as information security goes, the security team is accountable for overall architecture, policy creation and auditing, but shares day-to-day security operations with the IT group. A separation between the IT and security groups creates a checks-and-balances relationship. There's an upshot: Security requirements get designed into applications and infrastructure architecture as well as day-to-day management.

Establish IT governance and security best practices
In spite of some wonderful security technology, companies continue to feel pain from the likes of Code Red, Nimda and the SQL Slammer. Why? Poor IT procedures when it comes to configuration management, change management and system administration. This is especially troubling because of the breadth of mature methods available for these activities. Companies should anchor their security with a solid foundation of IT governance like ITIL, ITSM or CobiT. These IT governance models provide obsessive detail on how to run a process-oriented, secure IT shop. To build upon this base, look to established security best practices from security honchos like CERT, NIST or the U.S. government.

Prepare for the worst
Even the most secure company will suffer a security breach at some point in its history. Like the Boy Scouts' motto suggests, it is important to be prepared. Create an emergency response team that includes security experts and functional IT technicians, as well as members from the human resources and legal departments. Everyone should know his or her individual roles and responsibilities. Companies fixated on security constantly drill their teams to judge their responsiveness and correct any process lapses.

Even the most secure company will suffer a security breach at some point in its history.

This is a simple list, and indeed lots of other things go into providing hardened security. Nevertheless, visit any security-conscious firm and you'll find that they've implemented several--if not all--of the items listed above.

Before purchasing a lot of new tools and technologies, companies can achieve better protection and improve their security return on investment by taking all this into account. If a firm needs help, it should seek immediate assistance or outsource the whole ball of wax. Security is too critical to allow corporate politics or IT pride to get in the way.