Security has become a watchword in the enterprise. On this matter, there is no debate. Where there is debate, however, is in what priority security is given, when weighed against and amongst all the various initiatives in the enterprise. Cascading from these questions is the inevitable one—is security simply an IT issue or is there more to it?
Let us resolve this issue upfront. Security is FAR more than simply an IT issue. Security needs to be understood as a core business imperative and the way an enterprise manages its security posture needs to relate directly to the way it wants to manage its business risk. Just as CEOs think about competition, regulatory compliance, product cycles, globalization, personnel retention and finance as key levers of business, so too must they work to ensure that security is elevated to this level.
Each enterprise has a unique risk profile and each management team has a unique set of parameters it uses to gauge optimal risk tolerance. Coupling these two, one finds immediately that there are no pat answers around security; and reducing it to a matter of hardening servers or locking down applications is a huge mistake, albeit one made by many enterprises. And just as a company’s business evolves, so too must its security controls and its risk mitigation strategies. Just as the environmental factors evolve (compliance, regulation, industry standards), so too must a company's security controls change.
And as attack vectors get more complex and hacking gets more sophisticated, companies have to have more complex and sophisticated counter-measures in place to ensure that their core business functions are not retarded or arrested by security breaches.
As always, there is a trade-off between security and ease of getting business done. One could take all of a company’s computers off the Internet, give few employees access to internal applications, ensure that all passwords are complex, and that users have to authenticate against the networks with many factors. One could never allow remote access and disallow mobile devices from accessing any part of the network. But at what cost? And how much risk are you exposing yourself to if you allow your employees to VPN in from home or to access a plethora of internal applications? If the IT folks and the business side of the house don’t talk, we’ll never be able to actually assess what trade-offs a company should make to ensure a high degree of security all the while enabling employees to engage in the core businesses that make the company money. Again, it’s all about the art and science of risk mitigation.
Now that we’ve established that security is a business issue, let's drill down into its constituent elements. A holistic view of security looks at people, process, product, and policy. Security experts understand that sound policies in one area in the absence of complementary sound policies in another-while a start-are not satisfactory in helping to secure the enterprise. Furthermore, security cannot be seen as a “point in time” phenomenon. Security in an ongoing exercise with a need for continuous improvement like any other source of competitive advantage or disadvantage.
With regard to the four pillars of holistic security, the people and process issues are often over-looked. To people steeped in IT, the idea that HR policies or continuous education around roles and responsibilities are just as important as keeping ports blocked seems foreign. If the responsibility for security sits in-and only in-the IT department, such myopia will continue and will bode ill for an enterprise's ability to mitigate risk. That processes need to be documented and imbibed is paramount so that the “keys to the city” are not in only one or two peoples’ possession.
Within the product pillar, application security is often sidestepped since for many IT folks, security is an issue of networks only. Leading security consultant firms, however, emphasize the need to secure applications in the enterprise, especially those that face the Internet.
A crucial area that combines the product, process, and policy pillars is Patch Management. The most often cited area of enterprise pain is the need to quickly apply patches to thousands of systems, at low cost.
Companies need to have consistent policies around patch management, have to enshrine best practices in this area, and need to work with their vendors to consume the latest in technical and process guidance. Technical solutions alone won’t do the job.
An area that combines all four pillars might surprise you—how to get individuals who have been fired from the company off the company's network. Studies have shown that this often takes one to two weeks, with some cases running into years and beyond. What is more, disgruntled former (and frankly even current) employees are known to be a great source of risk. How does one handle this issue? Clearly, there are “people” issues here—who you hire, what policies you have in place when a person is let go, and so on. There are process issues to ensure that best practices are replicated th roughout the company and to ensure that processes are documented and adhered to.
Policy comes to play because all companies need to have clear guidelines, both legal and technical, governing this process. Finally, product comes in too—how does one technically ensure that former employees' email accounts and application/network passwords are de-provisioned and that remote access is immediately cut off? The lesson here is that a seemingly simple issue is really a complex one-with huge ramifications for an enterprise's security posture.
These are just a few examples of the need for more comprehensive rigor when working to secure the enterprise and manage risk.
Lastly, it is worth mentioning that security is an industry issue and has to be dealt with in a cross-company, cross-vendor, fraternal way. As complex as it is and with so much at stake for companies and individuals alike, it is high time that the industry as a whole takes a concerted approach to help each other mitigate security-borne risk. Best practices should be shared and all companies should have incident response programs in place.
No enterprise will ever be 100 percent secure. That is a fact. And no enterprise will ever spend all of its money on security. That too is a fact. So a delicate chemistry has to be decided on, balancing costs, risks, and rewards.
Just make sure that the resultant set of controls views security holistically and casts security in the language of business.