Companies spend substantial sums on IT security, but for some reason it seems they aren’t getting much bang for their bucks. The reason, of course, it that they are putting them in point solutions instead of investing them in clear and proven strategies.
By definition, point solutions are meant to solve one particular problem without regard to any related issues. They provide a quick fix for a certain problem or a fast track to implementing a new service, but they don’t solve the overall issue. Take SAP security, for instance: If you don’t protect your data base and the underlying operating system, they aren’t worth a dime. Or consider USB sticks. Yes, you can block them, but if you can still send sensitive data out by e-mail, what’s the point? Lots of problems that expensive Identity and Access Management systems are designed to solve crop up again immediately due to the habit of some application developers to store passwords in unencrypted data bases.
The best way to build IT security is to sit down and think long and hard about what exactly you need to do. If you need help, there are tools available such as the BSI Security Handbook published by the German Department of IT Security or the ISO norm 2700x. However, they are no substitute for plain common sense. Even certification only goes so far in helping you protect your systems since they fail to cover every aspect. Besides, they often lead to a false sense of security. Securing your IT is a year-around job, not something you can take care of with an annual check-up.
A good place to start is by analyzing the risks to your information, to your data and to the systems that process them. And don’t forget: It’s about the information and not about the systems! The “I” in “IT” is much more important than the “T”. In fact, “information security” would be a much better term for what we’re doing here, namely protecting both information and transactions from abuse.
Once you know what your goal is it is time to develop a strategy; one that covers everything from authentication and authorization to the storage of identity information, end-to-end encryption of information (which means during storage and transmission as well as processing!) and auditing. The focus should be on finding the right mix of measures to fit the various risk scenarios – and not investing in point solutions that simply solve a certain problem.
In the end, it all boils down to a matter of common sense. Unluckily, that item doesn’t seem to be in great demand, at least in IT security circles. The majority of applications available today are obviously designed to fill individual holes in the dyke. And decision makers consistently earmark funds for solution that only solve a single issue instead of thinking outside the box and looking for ways to address the big picture. The results aren’t nice to see, and they inevitably lead to an angry call from the boss asking why the hell he isn’t getting anywhere near the bang he was promised for all the bucks he invested in IT security. The honest answer, in all too many cases, is simply: “Sorry, we put them in the wrong place.”