Front Lines
Securing the enterprise
By: Frank Curry
The Globe and Mail, August 19, 2005
Front Lines is a guest viewpoint s...
What is more, there is a challenge inherent in this approach: To be successful, it often requires buy­
in from many differ...
Speak inTheir Language
Perhaps most important is to understand how the consortium of representatives like to see risk
stru...
of 3

Natioanlnewspapersecurityartice

Published on: Mar 3, 2016
Source: www.slideshare.net


Transcripts - Natioanlnewspapersecurityartice

  • 1. Front Lines Securing the enterprise By: Frank Curry The Globe and Mail, August 19, 2005 Front Lines is a guest viewpoint section offering perspectives on current issues and events from people working on the front lines of Canada's technology industry. Frank Curry is the Practice Director for Technology Infrastructure at Avanade Canada Inc., a technology integrator for Microsoft solutions in the enterprise. For today's executives, the threat of a security intrusion or disruption is real, constant and ever­ changing. For the IT department, the response to security events is often at the expense of other projects and leaves the department feeling like they are lurching from crisis to crisis. Most companies ina security crisis dispatch a SWAT team of their strongest ITprofessionals to resolve the problem. This results in the reassignment of staff from other more strategic projects. As a result, IT staff are constantly playing catch-up on vital aspects of IT infrastructure projects they had to abandon to respond to the crisis. Most IT professionals understand that the "wait and see" attitude is no longer an effective way to manage security.Reacting to viruses and threats after a breach has occurred can be costly and inefficient. A reactive approach not only leads to an ad hoc security program, but distracts the IT team from their primary activities - usually those efforts that supply the company with a strategic advantage. As security strategies evolve beyond this reactive approach to a more proactive one, there is a great opportunity for IT professionals to create a security platform that encompasses the entire enterprise -one that includes not only technology, but people and processes. Managing security proactively requires a step back from the day-to-day execution in order to view the environment holistically. Unlike application security, which has a very limited purpose and function, proactive security is based on a comprehensive overview of the entire organization. This allows IT executives to create a plan with a long-term perspective that goes beyond technology fixes. By taking a proactive approach, security becomes a business issue not just a technology problem. Thinking proactively about managing security is not an easy task. It takes time and investment to design the processes and build the technology to execute them.
  • 2. What is more, there is a challenge inherent in this approach: To be successful, it often requires buy­ in from many different stakeholders, in addition to IT management and the network administrators. Often IT professionals hita roadblock inthe approval phase because each stakeholder has hisor her own agenda with his or her own individual priorities. More often than not, security is put on the backburner as these priorities take precedence, and a more tactical approach is employed. Increating a proactive security approach, there are afew initialsteps to take to develop a plan that isattractive to, and more likely to be, embraced byallconcerned parties. Understand Your Environment Before you decide where you want to be, you need to understand where you are. To accomplish this, an objective eye is required to review the current security state - the business assets, threats and vulnerabilities. With this insight, you can begin to identify and prioritize the risks that may have the greatest impact on the company, and those that can be mitigated effectively. Involve the Organization In order to create a strategy approved by the organization, one needs to involve the organization. At the start, bring together decision-makers from groups or divisions with a direct and indirect stake in security. Use this meeting to create a steering committee to review the organization's IT security and ensure each group's needs and concerns from a security perspective are acknowledged. Create a Strategy A clearly defined strategy is a roadmap to where you want to be and how you plan to get there. Without a long-term strategy, security projects will continue to be uncoordinated and even incompatible with one-off projects. A holistic approach to security entails thinking about security as a part of enterprise architecture. This perspective helps break the problem down into components that are the basis for a roadmap. Starting with the enterprise architecture, one can consider what security means to messaging, to transactions, to hosted applications, and so forth. From this vantage point, it's also easier to factor in policies and infrastructure to create a strategy that is both contextual and comprehensive. Create a Business Case for Security and Define the ROI Security is not a discrete product, so defining its cost savings can be a challenging exercise. When trying to identify the ROI on security, a good rule of thumb is to consider money your organization could save by mitigating risks that may or may not happen. Some aspects of security are intuitive­ so significant that they do not require a full-blown business case, such as the investment to secure a website to prevent theft of customers' credit card information. Other aspects of overall security do not have such obvious benefits. While it's tempting to define value based on a single project because there are fewer costs and functional lines to cross, it can undermine the credibility of one's argument if the overall security
  • 3. Speak inTheir Language Perhaps most important is to understand how the consortium of representatives like to see risk structured and quantified for their groups and for the organization. People who focus on activities related to auditing or finance are going to have an interest in security that's different than the people who focus on maximizing the volume of transactions performed by systems. You need to demonstrate the strategy and security plan in their terms, from their perspective. Think of your CEO and CFO as your customers, and tailor your approach and use language that they understand.

Related Documents