Do you consider your finances, personal information and standing
within the community as something you should protect? Why then do
you not hold in such high regard the security of these within your
business? Is security an add-on within your business or is it a
primary business requirement?
Security starts at conception
Security has to be discussed at the conception of any idea and
continue all the way through any decision, with full support and
governance from the board.
Failure to take security as a primary business requirement will
lead to loss of business value, reputation, revenue and
credibility, and responsibility for this failure ends with the
board.
Many still do not see IT, never mind security, as a valued cog
in the mechanism that delivers business value.
Take one example: in 2006 about 20% of the payment card industry
made no effort to address a specific security-related concern -
PCI DSS - leading to countless tactical deployments that failed
to fit smoothly within an organisation's infrastructure services,
affecting security across the business, across all technology.
An immovable object
In this age where threats are all around us, security should be
an immovable object that you work with, not around.
PCI DSS is just one of these immovable objects, and if your
business stores, processes or transmits payment card data, you are
in scope for enhancing security.
Although aware of such enforceable guidelines as PCI DSS, some
businesses fail to understand the implications, let alone the
extensive requirement, for re-engineering of systems, services,
processes and procedures to address "good" security. Adding
security at the end can be expensive and will often be a weak
compromise.
Initiatives like PCI DSS are becoming commonplace. Marketplace
institutes and industry bodies are laying down the law and
businesses need to think about security from the very top, down to
every nut and bolt that holds the organisation together.
Many decisions on vast aspects of the machinery that drives the
business are delegated to individual departments or specific
individuals, promoting solutions before considering security.
Without the elements of top-down governance such practices are
open to countless security issues. Some do not engage early enough
in decisions and allow isolated decisions to flourish without
inviting all parties for input.
Common mistakes
PCI DSS aside, failure to address or apply security often
manifests itself as ill-formed decisions.
These decisions can include failing to view a system as a
business function failing to communicate as a single entity, with a
single viewpoint and a single vision and considering a system that
fulfils the department's requirements as "good-to-go", missing the
point that to be of true business value it should meet the
business's requirements (for the department) and not just the
department's requirements.
When news of the theft of millions of card details can be
flashed across the world's TVs, some still focus on reducing cost
as their primary goal without fully considering other factors,
which could cost the company dearly.
All decisions need to return business value and not leave a
business vulnerable.
● David Gregg is a technical and security consultant, certified
network and solution architect, and project manager at The Logic
Group