CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Commentary: People, process secure businesses

Microsoft's and Cisco's recent announcements of major vulnerabilities mean that companies cannot rely on products alone for protection.

    Commentary: People, process secure businesses
    By Forrester Research
    Special to CNET
    July 31, 2003, 5:45 AM PT

    Michael Rasmussen, Director, Forrester Research

    Microsoft and Cisco Systems announced major vulnerabilities last week.

    Companies need a plan to respond and should not rely on products alone for protection.

    This is a people and process problem. The Microsoft vulnerability is a significant exposure into every operating system running the NT code base from NT to 2003. The Cisco vulnerability is an exposure that could crash every router.

    Related story

    A new national policy and
    months of Microsoft initiative
    haven't shown a significant
    improvement in security.

    Both can be devastating to businesses if used by the miscreants of the world. Additionally, we have seen exploit code in the wild for both. Jumping on the bandwagon, as usual, are myriad security vendors claiming they have the solution to protect companies.

    Vendor claims are far-fetched and provide a false sense of security. No vendor today resolves these vulnerabilities, except Microsoft and Cisco with the patches they implement. Security vendor solutions may hold back the evil hordes of hackers should they come knocking, but the deviants will break through given enough time and motive.

    The only true answer is to patch systems. Organizations should focus on the process and policy portion of security as much or more than the technology aspect. Do not put blind trust into security vendor claims of protection. Rather, honestly evaluate how the product works and the time it potentially buys you.

    Develop a patch management process based on business risk, so the critical business applications and support systems (network, desktop, for example) are expedited and patched in accordance with the risk the organization faces.

    © 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.