Corporate Security
Establishing the right corporate IT security level has become as important a
business parameter today
as any
other element of conducting business
successfully. This elevated status of a seemingly small IT
element is a
new
trend.
It has emerged strongly during the start of this century, and is becoming more
of a fact each month.
The most successful companies have always found security, and with it, IT
security as a natural element
of
infrastructure and management thereof.
The World however has changed. To quote Alvin Tofler:
"The 21st
century will be dominated by information wars
& increased economic and financial
espionage"
The point here is this: To stay competitive, your IT strategy has to
contain a firm commitment to a
Risk
Management Strategy that clearly stipulates
the level of IT Security relevant to your business requirements.
How to structure the IT security strategy, the polices and then the
implementation, is not unlike
any other
large IT project. And
it should come as no surprise that this is indeed a large project.
It is however digestible, if
a structured approach is followed. Among the many standards
mostly used
are ITIL, which is recommended if the organization uses it already.
Taking a simpler approach, such as British
Telecom and others, may be more straight-forward.
Here the IT security subject is divided into 3 areas:
PEOPLE, PROCESS and
TECHNOLOGY.
This approach, originally developed in Denmark July 2004, immediately breaks down
the effort
into
manageable parts.
There are many tools available - first and foremost Microsoft have issued
(Spring 2005) a comprehensive
set of tools
for evaluation, classification and
determination of risks.
See
Microsoft's WEB-pages and especially the
Security Risk Management Guide (which is available for download).
Having analyzed the security implementation approaches with more than 10 larger
European companies, it has
become clear that the following flow works best:
 | Obtain Executive management commitment This is NOT easy in most companies, except in the financial sector. Taking for granted that executive management understands and/or appreciates IT security is one of the very big mistakes made by IT security consultants - the fact often is, this understanding is not present. Selling the concept becomes the first important milestone. Recent events in the (rising) threat profile makes it easier, but what has been shown to StealthSecure, is that a LIVE demonstration of breaches, hacking and the real consequences is what really moves faith. Nothing works better than real life! If your company is recovering from a big attack, even better, unfortunately. If we assume commitment (incl. resources) has been secured, Executive Mgmt. would normally partake in Steering Committee work, and this is key to the project going forward. |
| Create the IT Security Strategy for your company In essence, strategy statements outline the scope and purpose of the company's endeavours in the area. To quote IBM: "Strategy is what a company does to sustain and grow its business value into the future" (Source: Corporate strategy for the new millennium, Executive strategy report, by Peter J. S. Korsten and Saul J. Berman 22Jan2003) This should set the motivation for an assessment and evaluation of the risk categories and elements. |
| The next step is assessment and evaluation of the risk categories and
elements. This is where experience with people, cultures and technological know-how is essential. Our model is based on the main risk categories in order of importance: 1. PEOPLE The greatest potential and the greatest risk lies with those who use the technology to conduct their duties. Most people do make mistakes, but they are rarely deliberate. Educated and conscious users alone can reduce the risk dramatically. 2. PROCESS Updated work processes and procedures can save time and effort in conducting many business tasks, especially when complex routines are involved. When mixed with use of technology, it is necessary to combine discipline with consistency to ensure a cost-effective solution. 3. TECHNOLOGY The best educated users using the most updated and tested procedures need the right technology to back up those efforts. Choosing the right solution depends on the strategy, the degree of user involvement and the procedural foundation. For this reason, the technology component always has to come last, to ensure that investments are best suited for the requirements, and scaled adequately. Based on these 3 assumptions, the detailed relevant risks should be mapped out and the appropriate countermeasures implemented. Embarking on the journey to a secure company, is not a short-lived project, it is a strategic decision to add security to the fundamental business platform, just like deciding to employ technology in a production line - and just as vital. (back) |