IT security: Something's gotta give

2004 is just over a month old but it's already been an eventful year for information security with the MyDoom worm carving its name into the annals as the most malicious code cocktail ever.

MyDoom demonstrated that with a bit of social engineering, users will always be duped into opening attachments. Once in progress, MyDoom launched an avalanche of e-mails clogging networks and servers while interrupting business productivity. It then launched denial-of-service attacks on SCO and Microsoft. And as if this wasn't enough, it opened backdoors creating a global army of zombies poised to relay spam or launch the next denial-of-service onslaught.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Obviously, MyDoom almost guarantees another big quarter for security vendors. Manic executives who couldn't send or receive e-mail for a few days are bound to read the riot act to IT and security types to fix the problem. IT managers in turn will purchase a new round of security piece parts to plug the holes and proudly proclaim, "Mission accomplished." (Of course, they can't anticipate future problems so they'll probably have to repeat this fire drill again and again.)

Do you see the cycle here? Problem defined, point solution implemented, problem addressed, new problem arises, and so on. This last 13-word sentence sums up the entire state of information security.

The authors of various Internet protocols and software systems didn't design their stuff with security in mind.

Why is this so? The authors of various Internet protocols and software systems didn't design their stuff with security in mind. This wasn't a big deal when the Internet was the exclusive playground of academic and military types, but add a few 100 million users and the lack of systemic security became a real problem.

In reaction, security "bolt on" technologies became a necessity. Today enterprise companies have a complex array of firewalls, Intrusion Detection Systems, gateway appliances and antivirus software for protection. Yet they keep getting hit with additional security problems. This model is clearly unsustainable and something has to change.

Let' start with the boardroom. After so many unfulfilled technology promises, jaded executives want to understand the return on investment from every dollar spent on information technology. Since security returns are hard if not impossible to quantify, many initiatives go unfunded and companies remain unprotected.

Note to C-level folks, wake up! You all want to utilize technology to drive new revenue, increase productivity and lower costs. New systems may deliver the desired business results, but if they are connecting over the Net you are driving through one rough neighborhood along the way. In our Internet-connected world, security is a cost of doing business-?a necessary evil--period. If you hold back on security dollars you are foolishly rolling the dice with your company--and your career.

This is not to suggest that CEOs write blank checks. Security budgets and efforts must be commensurate with business risk and value. This means that IT must abandon the security box mentality, examine the fundamental security of mission-critical applications and business processes, and come up with a reasonable budget for protection.

Start with the most important and basic security analysis; namely what are the potential threats and what would the business impact be if this system were attacked? This will help prioritize where to start. Next, dig into security risk profile. Who should have access to critical systems? Do they connect over the Internet? What are the trust relationships between systems and applications? How should systems behave?

MyDoom is the latest evidence that strong information security is a new business reality.

Once IT develops a security plan that protects business-critical assets in a comprehensive fashion, it will be far easier to understand the risks of inaction and the costs of an adequate security system. When everyone agrees on priorities, metrics and budgets move ahead quickly as there is no time to waste.

This may sound alarmist, but MyDoom is the latest evidence that strong information security is a new business reality. CEOs must demand and fund these efforts while IT must design and operate a security system. As innovations such as wireless, nanotechnology and IPV6 expand IT's potential and reach, security efforts will only get more complex and expensive.

There's also a bottom-line tally to contemplate. Companies that manage their information security efforts sooner, rather than later, will lower their risks. Those that delay or otherwise avoid the issue will suffer through endless cycles of business disruptions, stock price slides and inevitable lawsuits.