Looking back on the spectacular security breaches of the past few months it is almost impossible to avid the feeling that enterprises and organizations around the world have their heads stuck firmly in the sand, at least as far as Information Security goes.
Okay, so you didn’t know the pistol was loaded. Well, ignorance is hardly an excuse in most cases, and Information Security is one of them. The only way to protect yourself from attack is by knowing your own weaknesses and doing something about them.There are at least two ways to skin this particular cat; one has to do with proper organization, the other is more technical in nature. Let’s start with the organization: It means assessing the risks involved in losing important information or having it tampered with. Just how much protection do I need, is the question IT and business managers should be asking themselves. Finding the right answer means analyzing every bit of information in the company and determining just how sensitive it is and, as a consequence, how much it needs to be protected. Not all information is created equal, after all, so instead of applying a one-size-fits-all approach to securing information, why not tailor you security measures to the actual degree of risk involved? Makes sense, huh?
And by the way, we’re talking here about securing information – not systems! The real object here is to make sure that the information itself is protected, and that is something completely different.
This is where our second agenda item comes into play: technology. IT needs to be able to look long and hard at each and every attempt at breaching their existing security measures, and they need to do this automatically and in a standardized way. That is why standards-based tool like SIEM (Security Information and Event Management) are becoming more and more important, since they allow IT to automate the threat discovery process. Another option are the managed services many security companies now have on offer. Whichever way you go about it, the goal is always the same: Detecting irregularities as quickly as possible, since every aberration within the system could potentially mean you are under attack. The sooner you can detect and analyze these anomalies (manually in many cases), the better you can determine if they are in fact malicious and how to set about defeating them.
If you skip your homework, then what’s the sense in making big investments in IT security in the first place? You can’t just throw money at the problem: Without really sitting down and doing a thorough risk analysis, you are stuck with making gut-feeling decisions. Okay, some people think with their stomachs, but brains are better. Without turning on the little grey cells, any decision reached will probably be piecemeal and leave gaping holes in your security infrastructure.
Of course, taking this kind of approach to security analysis means that some IT departments will have to start taking a much more systematic approach to security. If this increases the workload, well tough luck! That is the price you pay for being able to sleep well at night (and making sure the boss does so, too). Systematic risk analysis is the fundament on which true information security is built.
And don’t expect to save money, at least not short-term. Security has its price – but being the victim of a full-scale hacker attack will cost you lots more. Just ask Sony, RSA, Epsilon, Citigroup, Google, Honda, Lockheed Martin, Nasdaq – the list goes on and on. In fact, 2011 is shaping up to be the worst year for security breaches ever. Risk management is (or should be) at the top of very company’s agenda these days. And that means Information Security and handling the inevitable risks involved in doing business in a networked world should be at the front of everybody’s mind.