Five Steps To Better Security: What Every Exec Needs to Know

By Ace Swerling

(Back to article)

Every year, the number of data breaches continues to increase and companies are looking for ways to protect their most important asset—their data. In 2007, the Identity Theft Resource Center documented 448 data breaches, potentially affecting more than 127 million records, almost three times the amount in 2006.

Security is critical enabler for organizations’ IT systems for several reasons. Companies must guard against people who would steal or destroy their data and services. Also, government regulations like the Sarbanes-Oxley Act mean businesses must know who has access to what data and when. Every publicly traded business must comply with these regulations and inadequate security policies and controls greatly increase the cost of that compliance.

Additionally, many companies are virtualizing their businesses to become more efficient and nimble. Collaborating with business partners becomes as important as collaborating between employees. Companies must integrate processes and federate identities across company boundaries. In effect, security is the first hurdle.

More specifically, companies must identify employees from partners and define how to access internal IT systems in support of these integrated processes. Then companies need a process to identify the right people, issue an ID so they can log on, grant the appropriate access permissions, and manage the entire system. However, most IT security systems are not designed to work across company boundaries. Emerging technologies enable new capabilities but it is not enough to simply install a product—policy and procedure become even more important.

While there are no easy answers when it comes to protecting enterprise data and assets, here are a few tips to get on the road to achieving a secure enterprise through a measured, thoughtful consideration of factors within your unique business environment.

Develop a Strategic Plan - Enterprises need a consistent security strategy and a reliable process to keep up with the latest technologies and ongoing threats. You should approach security from a holistic and strategic perspective to ensure reliability, regulatory compliance, data confidentiality, integrity and availability.

This plan should include estimated costs, set objectives and a solution blueprint. Also, a pre-determined roadmap for the final result is a critical factor for any successful implementation.

Below are some steps to complete in order to create the right plan for your organization:

  • Set overall scope and objectives
  • Gather high level requirements such as what systems you need to support, etc.
  • Determine the current state of your security and what you want to achieve
  • Develop business case to get executive buy-in on this plan and estimate your costs
  • Develop a blueprint for creating your security solution
  • Select the appropriate software to achieve objectives
  • Develop a roadmap for rolling out the solution
  • Consider the People and Processes - Secure solutions depend upon the integration of technology, processes, and people. Whether you’re devising an approach to identity management or designing your organization’s patch management methodology, you should consider each of these aspects as foundational to your security strategy. Technology is only part of the solution. Having an effective process, while aligning the solution with employees, helps ease the transition for any organization.

    Pick the Right Partner - With so many vendors and consultants available, it is important to find a partner that shares your organization’s strategic vision. After determining a strategy, select partners with experience and a strong reputation. The right partner will help design and implement a system that maximizes existing systems to manage access across systems and network securely and cost-effectively.

    Implement with a Target in Mind - Do not arbitrarily implement solutions and expect them to run smoothly. It is essential to establish architectural guidelines in order to eliminate complexity before it begins.

    One mistake many organizations make in the area of information security is to assume that by applying more technology, they will keep their enterprise more secure. Rather than push the need for more security, companies should focus on “effective security”—where you evaluate your current position and then design and build a security approach that fits the needs and budget of your organization.

    This holistic view of the organization’s security state provides a great starting point for mitigating security risk in the enterprise. Then, once the security risk assessment is complete, companies can architect, design and implement a solution that fits the needs of their specific business.

    Don’t Rely on Retrofitting - Retrofitting security is rarely possible without having to redesign substantial parts of the system and, in almost all cases, retrofitting will be very expensive. Security must be an integral part of the system design from the start, not an afterthought.

    However, retrofitting can solve tactical problems by filling in holes in an existing system but, it can create new strategic problems as well. To balance benefits against cost, companies should look to integrate solutions within an existing system but be prepared to make the strategic investments to create a secure system that will last over time without requiring any retrofitting.

    Really, one statement says it all, “Security is not something you buy, it’s something you do.” It's a process used to maintain quality for a business’s IT systems, like scalability or availability. With the right process in mind and the right technologies to support these qualities, companies can maintain a holistic view of overall goals, security's role within those goals, and develop a coherent execution plan.

    Ace Swerling is the security director for Avanade, a global IT consultancy, focusing on Avanade's Identity and Access Management business along with Core Security. He invented an architectural concept called Enterpresence to join identity, security, and SOA applications. This is a core tenet of Avanade's application development methodologies. Ace worked in Microsoft Consulting Services prior to joining Avanade six years ago. While there, he was considered a SME on Windows and AD. He is also an Exchange Ranger.