|
What is really the greatest threat to businesses? Is it hackers? Uninformed users? Dishonest employees? Criminals? Terrorists? No. There is a constant threat we all grapple with every day, and it dwarfs all of these.
The fact that things change is the greatest obstacle to security. By reacting to each new threat individually, we miss the greatest opportunity for securing our organizations. We already know we can’t beat the hackers. They will always find new ways to hit us. We also know our employees and customers won’t always do the right thing, despite how much we spend on security awareness, implementing best practice standards and training. But if we can assemble a real time picture of the state of our technology infrastructure and the current business objectives on the fly, we can be confident in our decisions to address emerging threats.
Most companies, already have mechanisms in place to assess and manage business risk. Why can’t the processes and procedures used in this business area be applied as effectively to the technology area as well? Is security really so mystifying a thing that it requires a whole new enterprise process? Is there really no relationship between security risk and that of quality assurance, business continuity and capacity planning? Security shares much with these other enterprise disciplines, and costs could be saved by leveraging skills of staff who alredy know how to judge risk in these areas.
Not treating security the same as other business rusks that must be constantly re-evaluated, prioritized and addressed, is the reason most companies are struggling with security. To do so requires that you baseline your IT and have mechanisms in place to measure change against it. Such a mechanism enables you to assemble a real time picture of the state of the security infrastructure and business objectives real time. At any given moment you should be able to determine what it contains and how it functions, and at what priority level these functions support the business for that brief slice of time during which security decisions must be made. Risk assessment assembled on the fly should give you a clear understanding what business functions are affected, how critical they are to productivity, of the costs and benefits of security solutions, and the potential risk impacts. Such assessments must quantify--in estimated dollars and cents, and at this exact point in time--those impact that will enable executives to make informed decisions about security.
To deliver this, we need a way to assemble an inventory list on the spot, isolating those systems affected by a security problem. Their business functions must be prioritized and their relationship to other interfaced systems must be clear. Their value to the business must be estimated, and the cost of potential disruptions must be represented. Armed with this knowledge, managers can make informed decisions as to whether to proceed with investment (which might be as little as authorizing a patch, or as high as buying a new security appliance). They can then decide, either accept the risk, or to go ahead with the solution.
When we finally shift from static to dynamic mode, from reactive to control mode and address technology change control in business context is when start living comfortably in the real world, instead of trying to stave it off.
(c) 2005 Bar Biszick-Lockwood/QualityIT
Home |
