dcsimg

Protecting Information from Technology

By Mark Egan

(Back to article)

Whoever said that technology would lighten workloads had obviously never worked in IT.

Sure, technology opens the door to one of society's most valuable assets -- information -- but the downside is that technology has also become the vehicle of choice for putting information in jeopardy.

And it's not just viruses and worms. Technology now enables phishing, pharming, identity theft, intellectual property theft, and fraud.

What's more, these threats are costly. Symantec research indicates that there is a ratio of 10:1 between the cost of a single incident or disruption and the cost of assuring the integrity of business information.

So, what's a CIO to do? It's no longer enough to simply make sure that information is secure. Nor is information availability alone sufficient. Indeed, as threats are becoming more complex and frequent, organizations are relying more on IT than ever.

But that's the bad news. The good news is that the process of building a more resilient IT infrastructure that safeguards information integrity can be boiled down to three simple steps: measure, improve and manage.

Measure

The first step may very well be the most challenging, and for good reason. Evaluating and measuring the state of an information environment is anything but trivial.

It requires organizations to assess risks against vulnerabilities, exposures, and threats. It calls for detailed intelligence on external threats and vulnerabilities, regardless of how new they are, and identifies recommendations on how to protect assets.

Unfortunately, that's just the tip of the iceberg. Measuring the IT environment also requires organizations to know which systems are authorized and connected to the network, who is logged on, which applications are deployed, if patches are up-to-date, and whether system and data backup procedures are in place and being followed.

Improve

The second step in creating a resilient IT environment is to act to improve it. And that means protecting information from attacks, mitigating threats, correcting problems, and recovering from incidents.

To do this, organizations must be able to pinpoint, evaluate, and prioritize threats; implement protection technologies that automatically block threats and stay up-to-date; leverage tools to streamline and speed patch management; and establish regular, frequent backups to make it easier to bring systems back online quickly in the event of a disruption.

Perhaps one of the most overlooked components of a resilient IT infrastructure is a business continuity plan. Many organizations don't have one, and those that do often have flawed plans.

A Penn, Schoen & Berland study indicates that a mere 35% of corporate disaster recovery plans actually work. Yet, it's clear that surviving a major data loss is difficult if not impossible for many of today's companies.

Of course, a disaster recovery plan must be coupled with overall IT and security policies to help keep an organization's security posture strong.

Manage

Organizations must be able to manage their environment. Infrastructure monitoring and management are key, and organizations must keep an eye on the external threat environment even as they scrutinize their own internal security status.

Remediation capabilities must be in place so that software and content updates are automatically distributed whenever a new vulnerability is announced or a new threat appears.

Asset management capabilities are also essential in order to enable organizations to prioritize remediation efforts. And, to ensure that critical assets can be recovered quickly and efficiently, organizations must have the capability to perform selective restores.

With this three-step process in place, technology can be a significant business enabler that protects the security and availability of information even as it helps organizations grow into new markets and services.

Mark Egan is Symantec's CIO and vice president of Information Technology. He is responsible for the management of Symantec's internal business systems, computing infrastructure, and information security program. Egan is also author of "Executive Guide to Information Security: Threats, Challenges, and Solutions" from Addison Wesley and was a contributing author to "CIO Wisdom."