Commentary: Security beyond software

Security problems do exist, but security companies, which are in the business of selling security software, tend to exaggerate the problem.

4 min read

Security problems do exist, but security companies, which are in the business of selling security software, tend to exaggerate the problem.

Security programs require policy,

See news story:
Hackers say corporate security still poor
process, people and technology. They are only as strong as their weakest link, and in many companies the weakest link is not technology.

When companies fixate on security tests consisting of penetrating Web and firewall systems, they miss the social-engineering issues and leave holes such as a hacker simply calling the help desk and requesting a password. It is often much easier to obtain passwords in this way than to try to break them online.

Fixing this type of vulnerability demands that strong security policies be put in place so that, for instance, someone calling in and claiming to be an employee is not taken at face value. Companies also need to have strong procedures in place for responding to security breaches when they do happen because nothing is ever 100 percent secure.

Security policy should include an enterprise security charter, a set of general security policies that apply to all personnel and data, specific security policies that apply to specific domains, standards and procedures derived from those general and specific policies, and guidelines that document best practices and recommendations.

Levels of stewardship
One example of this approach applies to data security. While most data administrators simply document standards or policies with the intention of mitigating data-related risks, we suggest levels of stewardship including absolute mandates; policies and associated penalties such as loss of budget; standards and associated benefits such as increased IT support and shared expense; guidelines and associated advantages such as improved performance and security; and principles and associated alternatives-in other words, "what," not "how."

Adequate staffing is also important. This does not mean that companies need to assign a large staff to the security problem. But the IT organization should have a security officer who tracks security developments and implements appropriate changes in the company's security policies and technology. Without such a person, for instance, the organization may not be aware of patches that vendors bring out to plug newly identified security holes.

Once good policies and staff are in place, the organization can look at areas where it can automate. One technological priority should be intrusion-detection capabilities. In addition to being a good practice, nothing sells the need for good security to senior management better than a list of the intrusion attempts being made on the company's systems, whether they originate internally or externally.

It's important to note that security does not stop at the firewall. Companies often have problems with employees who either inadvertently or purposefully damage or steal from systems. These are hard to detect. Also, a successful hacker tends to appear as an internal employee in the corporate system, becoming visible only when said "employee" does things that are bizarre.

Solid security processes--research, scanning, monitoring, response, reporting and administration--and rapid incident response are vital. Some 80 percent of the breaches that occur over the Internet are exploiting known holes or configuration problems. Therefore, a process that consistently updates security configurations--something that only 15 percent to 20 percent of corporations do well--is critical.

After the breach
Organizations need to be prepared to react when they do suffer a security breach. Just as every retailer sets aside resources for stock "shrinkage" because shoplifting exists, every company needs to set aside resources to cover losses because of security breaches. They need a disaster plan that enables staff to respond quickly and effectively when a breach is detected.

This response also needs to go beyond corporate boundaries to include corporate legal, marketing and communications staffs. As a culture, we have moved very quickly to put huge amounts of data onto the Web. Given the speed with which this has happened and the amount of exposure, some security holes are inevitable. In the old days, some people kept their money in safes to protect it, but the bad guys still found ways to break in and steal it.

Overall, companies should not panic about security risks. On the other hand, they should not take security for granted. They need to create strong security policies and have a security officer to oversee developments and procedures.

Ultimately, management has to decide how much risk it wants to take with specific kinds of data. Is it worth the cost both in money and extra effort to provide increased security? Companies might want to make great efforts to secure sensitive personal data or corporate secrets while investing less for reasonable security for less sensitive information. And since nothing is ever 100 percent secure, management also needs to plan for recovery from any security breaches that do happen.

Information security staff within an organization should shift from the "gatekeeper" role to become more of a security consultancy--advising the business on information risk, mitigation measures, and costs associated with those measures--both in terms of ease of use and in dollars--and letting the business make the call on the amount of risk it is comfortable with and willing to pay to mitigate.

Meta Group analysts Dale Kutnick, Tom Scholtz, Chris King, Wilson Rothschild, Peter Firstbrook, William Zachman, Jack Gold, Val Sribar, Chris Byrnes, Tim McLaughlin and David Cearley contributed to this article.

Visit Metagroup.com for more analysis of key IT and e-business issues.

Entire contents, Copyright ? 2001 Meta Group, Inc. All rights reserved.