Since early viruses were created (often transmitted by
floppy disk) there has been an ever escalating challenge for those
working in security to keep data and resources safe. This "war" is
characterised by increasing technology on both sides of the divide.
The attacks are becoming ever more targeted and sophisticated while
the defence is becoming more complex and interdependent in order to
protect against all possible threats.
What can be done? Every new patch, virus definition or spam
profile that is applied has a decreasing window of effectiveness
before it is compromised by a teenager in South America or Eastern
Europe. In spite of this, most vulnerabilities do have a patch
available before large scale attacks that can damage an enterprise
start to occur.
The complexity of ensuring these updates are applied correctly
into enterprise environments is what takes the time and costs the
money. This is a level of complexity that is only increasing.
Add in all the systems to monitor what your user community are
doing and all the
intrusion detection systems and other monitoring systems and it
all adds up to a big, complexity headache.
This sort of environment has built up over a number of years,
perpetuated by a mindset of "see a hole, buy a product" and a zero
tolerance, authoritarian approach to security. Bandages are applied
in response to an urgent problem, but none of these bandages are
refreshed as the health of the patient improves.
Controlling it all usually falls to a few extremely talented
security professionals who are able to understand and manage the
complexity. This is misaligned with accountability, which usually
sits at an executive level. This mismatch leaves the organisation
exposed and dependent on a small group of key staff.
Simplification is the key to transforming this situation, making
it more sustainable and lowering risk. The first pragmatic step is
to gain an understanding of the value of all the different assets,
both tangible and intangible, that you are trying to protect.
Start by answering the questions: what are our critical assets?
What are they worth to the business or a competitor? And, who might
want to damage/steal/compromise it? This provides a good place to
start and from here you can move on to classify the assets based on
criticality. Once this classification is in place appropriate
protection strategies, and access policies for each different
category can be defined.
Once protection strategies and policies are defined, building
and maintaining the infrastructure to police them becomes more
straightforward. Sophisticated, leading edge, systems are still
required to ensure that the critical assets are protected with
watertight technology, procedures and access privileges, but this
now has a much smaller footprint.
Less critical assets can be adequately protected by standard,
well understood, technical systems wrapped in a protective layer of
rigorous management, assurance and business continuity processes
and controls.
Taking these steps will allow you to regain sight of the wood
over the trees, unpick the complexity and ensure that your company
is not splashed all over the media because of an embarrassing
security lapse.
Matt Came is a performance improvement management consultant
at PricewaterhouseCoopers and is a member of
(ISC)2