Five Steps To Better Security: What Every Exec Needs to Know
Security is critical enabler for organizations IT systems for several reasons. Companies must guard against people who would steal or destroy their data and services. Also, government regulations like the Sarbanes-Oxley Act mean businesses must know who has access to what data and when. Every publicly traded business must comply with these regulations and inadequate security policies and controls greatly increase the cost of that compliance.
Additionally, many companies are virtualizing their businesses to become more efficient and nimble. Collaborating with business partners becomes as important as collaborating between employees. Companies must integrate processes and federate identities across company boundaries. In effect, security is the first hurdle.
More specifically, companies must identify employees from partners and define how to access internal IT systems in support of these integrated processes. Then companies need a process to identify the right people, issue an ID so they can log on, grant the appropriate access permissions, and manage the entire system. However, most IT security systems are not designed to work across company boundaries. Emerging technologies enable new capabilities but it is not enough to simply install a productpolicy and procedure become even more important.
While there are no easy answers when it comes to protecting enterprise data and assets, here are a few tips to get on the road to achieving a secure enterprise through a measured, thoughtful consideration of factors within your unique business environment.
Develop a Strategic Plan - Enterprises need a consistent security strategy and a reliable process to keep up with the latest technologies and ongoing threats. You should approach security from a holistic and strategic perspective to ensure reliability, regulatory compliance, data confidentiality, integrity and availability.
This plan should include estimated costs, set objectives and a solution blueprint. Also, a pre-determined roadmap for the final result is a critical factor for any successful implementation.
Below are some steps to complete in order to create the right plan for your organization:
Consider the People and Processes - Secure solutions depend upon the integration of technology, processes, and people. Whether youre devising an approach to identity management or designing your organizations patch management methodology, you should consider each of these aspects as foundational to your security strategy. Technology is only part of the solution. Having an effective process, while aligning the solution with employees, helps ease the transition for any organization.
Pick the Right Partner - With so many vendors and consultants available, it is important to find a partner that shares your organizations strategic vision. After determining a strategy, select partners with experience and a strong reputation. The right partner will help design and implement a system that maximizes existing systems to manage access across systems and network securely and cost-effectively.
Implement with a Target in Mind - Do not arbitrarily implement solutions and expect them to run smoothly. It is essential to establish architectural guidelines in order to eliminate complexity before it begins.
One mistake many organizations make in the area of information security is to assume that by applying more technology, they will keep their enterprise more secure. Rather than push the need for more security, companies should focus on effective securitywhere you evaluate your current position and then design and build a security approach that fits the needs and budget of your organization.
This holistic view of the organizations security state provides a great starting point for mitigating security risk in the enterprise. Then, once the security risk assessment is complete, companies can architect, design and implement a solution that fits the needs of their specific business.
Dont Rely on Retrofitting - Retrofitting security is rarely possible without having to redesign substantial parts of the system and, in almost all cases, retrofitting will be very expensive. Security must be an integral part of the system design from the start, not an afterthought.
However, retrofitting can solve tactical problems by filling in holes in an existing system but, it can create new strategic problems as well. To balance benefits against cost, companies should look to integrate solutions within an existing system but be prepared to make the strategic investments to create a secure system that will last over time without requiring any retrofitting.
Really, one statement says it all, Security is not something you buy, its something you do. It's a process used to maintain quality for a businesss IT systems, like scalability or availability. With the right process in mind and the right technologies to support these qualities, companies can maintain a holistic view of overall goals, security's role within those goals, and develop a coherent execution plan.
Ace Swerling is the security director for Avanade, a global IT consultancy, focusing on Avanade's Identity and Access Management business along with Core Security. He invented an architectural concept called Enterpresence to join identity, security, and SOA applications. This is a core tenet of Avanade's application development methodologies. Ace worked in Microsoft Consulting Services prior to joining Avanade six years ago. While there, he was considered a SME on Windows and AD. He is also an Exchange Ranger.