The concept of knowledge management is an alien one
within the majority of organisations, however harnessing the
experience of employees is the essence of all business and why we
pay, sometimes extortionate amounts of money, for certain key
individuals, writes Craig Goodwin, CISSP, head of security services
atOptimum-MBA
.
How many organisations rely on a single individual to maintain
80% of their IT infrastructure, completely unaware that it would be
next to impossible to find someone with that specific knowledge and
skill set should that person seek greener pastures elsewhere?
This valuable resource must be harnessed, recorded and utilised
so that it can be called upon regardless of individual post
holders. For security, a function which is highly interdependent on
its interaction with other business functions, tracking and storing
the specific knowledge behind what makes the operation effective,
can pay long-term dividends.
Reactionary controls
Immature security functions have a tendency to be reactionary,
through no fault of their own. With a lack of defined policies or
processes to turn to, individuals find themselves constantly
dealing with security incidents, be it network intrusion, e-mail
misuse or loss of confidential information. They call upon their
own expertise to do this, unable or sometimes refusing to call upon
previous solutions, certain that they will make a larger impact
within the organisation if they do it themselves.
In these circumstances, reactionary controls are the necessary
solution - another firewall there, more internet blocking here and,
in the short term, the problem is solved. In the longer term,
reactionary controls become a burden on both manpower and budget,
the purpose of them is not recorded, baselines are not documented
and the utilisation of them over the longer term business
infrastructure is limited.
Policies, processes and standards
Investment of time and money in a clearly defined, well
structured and well integrated set of policies, processes and
standards that reflect the best practices known - both generally
and from an organisation's specific experience - will ensure that
technological measures such as firewalls, anti-virus software,
routers and intrusion detection systems are deployed effectively
and consistently, while the knowledge behind them is disseminated
across the organisation.
A truly holistic approach to security will be achieved through
the integration of the organisation's business functions and
processes, so the process should gather together those elusive IT
guys, unique HR individuals and address security issues with
integrated and logical thought processes before money and
technology are thrown at the problem.
Review existing controls
In the current economic climate, the process can begin with a
review of the utilisation of existing controls to ensure you are
making the best use of everything that you have in place. The
effort should document baseline technical standards for each
barrier. A set of policies should emerge based upon best-practice
standards and possible areas of improvement.
While alleviating the operational burden, and saving costs, the
foundations are set to ensure that all standards, processes and
procedures - the organisation's knowledge - are documented and
maintained.
I encourage all to take a condor moment. Breathe, step back and
take a holistic look at what is already in place. Document
everything, educate everyone and start utilising and controlling
our most precious commodities, people and knowledge, to provide the
levels of security we all strive for.
Read more expert advice from the Computer Weekly Security Think
Tank >>