Too often IT security is focused on technological fixes for specific problems, particularly combating malware, attempted invasions of the enterprise databases, and DR. The corporate security team spends its time putting out fires, always a step behind, with no time to plan. And when they talk to vendors, their planning efforts are short circuited directly to the product level.
This approach is itself risky. It can lead to over investment in some areas while others are ignored, leaving the enterprise vulnerable. Spot solutions are often brought in with little regard for what is already in place, leading to a confusing “zoo” of incompatible solutions that adds huge complexity to security management.
Getting control of this situation requires a step back from the immediate emergency and some time and effort spent on risk management, the process of creating a master security plan that can bring order to the chaos.
Risk management has several principles including:
- Planning starts with identifying the entire list of risks facing IT rather than focusing exclusively on specific pain points.
- Risks can be mitigated but not eliminated.
- Not all risks can be handled immediately, some will have to wait.
- How much a particular risk needs to be mitigated depends in part on the amount of exposure and in part on the enterprise's comfort level with the risk.
- Some risk may be beyond the organization's ability to mitigate and will simply have to be accepted as part of the business environment.
- Not all risks are amenable to technological fixes, and where they are the solutions chosen need to fit together into an architecture rather than being bought and installed as isolated “islands of security”.
The universe of risks Overall, IT faces three main classes of risk:
- Technology risks: These are the traditional IT concerns ranging from equipment failures through viruses and works to denial of service attacks, intrusion attempts, and “war walkers” accessing your wireless network from the outside and slipping past the corporate firewalls.
- Legal and personnel risks: These include compliance and legal discovery issues. They also include the dangers represented by the organization's own personnel including careless errors and purposeful theft or damage to equipment or data. These are often ignored in IT security efforts, but the best malware protection cannot prevent a malicious employee from stealing, misusing or altering data from the inside.
- Natural and man-made disasters: These range from simple power failures to region-wide natural or man-made disasters such as floods, earthquakes, large storms, and fires.
The entire list is fairly long, but fortunately a standard exists, the Control Objectives for Information and related Technology (CobiT) available from the [Systems Audit and Control Association (ISACA)]. This list covers all risks faced by the enterprise, of which IT focuses on a subset.
In the next part of this series I will discuss a three-step approach to creating a risk management plan for the enterprise IT organization.
Action Item: The first step in gaining control over IT security is to take a step back from the reactive, fireman mode that typifies the day for many in IT security. Planning is essential for managing risk, and the first step is to identify all relevant risks including those connected with enterprise and IT personnel.
Footnotes: