|
For every step a corporation takes to increase its security, the other side
comes up with something to counter it. The result is an escalating "arms
race" that companies cannot afford to lose.
Even though information security has been a recent focal point in the news and
has gained much attention in large organizations over the past few years, most
businesses still have a long way to go before they can be reasonably comfortable
with the security of their information systems and critical data.
Security has become such a complex set of issues that it can no longer be categorized
into silos of physical and cyber threats. Only by taking a holistic approach
to managing security enterprise-wide, can companies protect themselves and their
interests.
When it comes to implementing security solutions, a lot of emphasis has been
placed on processes and technology — and not enough has been placed on
people. Effective security can only be achieved if everyone involved (executives,
IT, and all levels of administrative staff) complies with corporate policies
and make educated decisions. Focusing on the human aspects of physical and information
security, which is always the weakest link in the security chain, is a key issue
companies need to address first, and often.
Organizations need to develop a holistic approach to security that will result
in systems that are secure, practical, user-friendly, and also motivate employees
to behave in a security-conscious fashion. Motivation of an end-user with respect
to information security is a critical factor. Security without motivating the
end-user is like driving a car without turning on the engine.
The first step is to start with a set of goals for guiding development and implementation
of security systems, policies, procedures, and processes. Security is a mission-critical
concern that will only increase in profile. Some companies realizing this growing
area of concern have created a management group headed by a chief security officer
(CSO), who has responsibility for information system security. The CSO ensures
that proper funding and resources are invested to make security an integral
rather than an ancillary part of the company’s regular risk management
processes and procedures.
But before embracing a holistic approach to security, companies first need
to admit that they are at indeed at risk. The two biggest myths around security
are: “It’s never going to happen to me” and “I can trust
my employees.” For these reasons, traditional security mechanisms have
focused almost entirely on technology solutions. Only in recent years have there
been concerted attempts at taking human factors issues into consideration. There
is a growing recognition of the fact that humans are the weakest link in the
security chain and consequently the main cause of security breaches. In addition,
hackers and industrial spies now tend to target the human weaknesses of the
security system before they target the technical ones.
An effective security program must integrate policy with process and automated
enforcement of security controls to continually reduce risk. Many security professionals
focus solely on managing individual projects and the issues at hand, and fail
to establish a leadership role in IT risk management and strategic planning.
They have been content in implementing security on a piecemeal basis —
securing a network with a firewall, protecting a subnet with a router, putting
anti-virus software on a computer, and so on. But it’s obvious that approach
hasn’t worked.
In order for information security to work effectively it has to be planned,
implemented, and maintained as a complete system with all components working
together as each component depends on the other.
Firewalls, for example, can provide a false sense of security. Yes, it is mandatory
to protect organizations with a good firewall and other security solutions,
but what really matters is that these should be backed by adequate security
policies and procedures based on the threat risk assessment for the organization,
and on industry norms. Without a strong emphasis on the human aspects of security
the expenditure on hardware and software will be wasted. Poor passwords make
it easy for an intruder to masquerade as a legitimate user. The security system
is still functioning properly but it has been circumvented by poor human practices.
In other words, security cannot be achieved by technology alone. It must become
a core part of organizational culture and business process. Technology, behaviour,
policy, and processes are all equally important in creating a holistic approach
to security.
Determining the business tolerance for risk; identifying and communicating
security risks and risk mitigation options; and articulating security program
costs and benefits to key individuals in IT and business management ahead of
time are best practices that should become corporate mandates.
The holistic approach to security is still a tough sell to many companies.
They tend to be more comfortable with traditional, physical approach because
assets are more tangible than information, and measures to protect them—such
as padlocking all the gates to a plant—are easy to concoct and implement.
The evidence is increasingly clear that maintenance of information security
is a never-ending battle against nefarious forces that see it as a game. For
every step a corporation takes to increase its security, the other side comes
up with something to counter it. The result is an escalating “arms race”
that companies cannot afford to lose.
To conclude, security must be viewed and implemented in a holistic manner.
It has to start from the top and should be embedded in every business process.
Security is not only technical solutions, but also includes the mind-set of
each company employee. If a company can make each employee think and act like
a security officer, then the organization has succeeded in adapting a corporate
culture that truly values security as a top priority.
About the author:
Mansoor Khan heads the Security Professional Services group at Soltrus Inc.
Mr. Khan is a seasoned information systems security professional with over 10
years’ experience in the field of Information Security Management, and
security audits. Soltrus Inc. is a leading Canadian provider of end-to-end security
solutions for enterprise and small businesses. The company is also a leading
provider of Digital Trust Services, through VeriSign, enabling businesses and
consumers to communicate and transact over digital networks with confidence. |
