Security, unfortunately, is one area where IT professionals are never "done." I work on plans for network installations and upgrades all the time, and we eventually wind up with a list of required equipment, a cutover/migration plan, an operational plan and similar documents covering user training, help desk and other support, and on and on. And, of course, a security plan is always part of the process. But whereas almost all of the installed elements can at some point be declared to be operational and finished for a particular cycle (subject to occasional updates, bug fixes and revisions), security is so critical a component that, in all but the smallest organizations, it requires near-continuous attention. Come to think of it, even small companies should have a good security plan and set of procedures in place, with regular reviews, even if nothing seems to be amiss. As I said, this is the one area where you are never done.
I occasionally give talks on information security, and I love to ask the audience how many of them have never been hit by a security breach or other security-related problem. They almost all raise their hands, and then I lower the boom -- how do they know?
Everyone will agree that information and network security are important, but the biggest push-backs I get when talking about security relate to two factors: cost and convenience. It is possible to spend vast sums on security, and this is often justified – as with government and military networks -- but the commercial world has two specific security threats, and one of them is usually minor: the casual hacker. These folks have way too much time on their hands, and this is manifested in the need to cause mischief or obtain bragging rights among the like-minded, or simply in a pathological need for Internet access. But though the casual hacker seldom causes a major meltdown -- and indeed, helps to keep a focus on the need for security in the first place -- the other threat, the professional information thief, is and must always be a major concern.
Driven by profit, these nefarious individuals have detailed technical knowledge of networks and understand and often develop the techniques for cracking nets with a high degree of effectiveness and stealth. Information is often long-gone before their tracks -- if any -- are discovered. But let's be fair: What are the chances of getting hit by one of these guys? Should those vast sums be spent simply in anticipation of an attack that may never come? And with that expense comes the second push-back -- inconvenience. There is little doubt that security measures can and often do affect productivity and create additional support costs. Security solutions that are hard to use are often counterproductive -- users just write down difficult-to-remember passwords or otherwise leave mobile devices unlocked. All that expense can indeed be wasted in such situations.
But, based on the theory that if you don't know where you're going, any road will take you there, it is best -- despite the obvious urgency and criticality involved (to say nothing of increasingly strict regulatory requirements) -- to take a deep breath and start with a plan to tackle your particular security challenge. And this plan begins not with a purchase but with a document -- the development of an enterprise security policy. We'll cover the contents of a security policy next time.