The main threats that organisations and their customers are
facing today are the same ones that have always been around:
ignorance, apathy and poverty. And the best thing that any
organisation can do to reduce the impact of these, is to simply get
the basics right. But you won't be able to do anything if you don't
know your threats, don't have the appetite to address them, or
don't have the budget to pay for the solutions,writes
Martin O'Neal, managing director of independent security
consultancyCorsaire.
Security for the business itself, or for its customers, is all
about gaining a good understanding of the risks, and then building
appropriate processes to ensure that they are balanced against the
effort and cost of addressing them. Everything else is really just
window dressing. For example, that shiny new security appliance
that you were looking at last week (available in suitably bold
primary colours) will not make your organisation secure. There are
no magic bullets, only good sense and hard work.
And now we get to the nub of the problem, the typical board of
corporateville. These busy people can, quite literally, talk for
days about the colour of the latest product packaging (mauve or
taupe, darling?), but when it comes to where those pesky credit
card numbers get stored after you have taken your clients money,
then they tend to be far less talkative. Until things go wrong.
Increasingly, the legislation and regulation that cover security
are being given real teeth, to punish those who flout them.
Punitive fines, suspension of trading facilities, and ultimately,
members of the board can go to prison. And what would any busy
person (upon finding themselves staring down the barrel of a
punitive deadline), be looking for in their hour of need? You've
got it; their gut instinct will be to bite the hand off the first
magic-bullet solution that comes along. If you are the person
responsible for security, the trick is to make sure that the
particular bullet is one of your choosing (magic or otherwise).
The real problem with all this, I would say, is that the
attention span of the typical board is about three weeks, starting
from the last high-profile security event (be it a failed audit, a
rogue employee, or a successful hack etc). And the biggest
challenge is seizing this slim window of opportunity, and using it
to your maximum advantage. If you don't get your plans in front of
the board, and budgets signed-off in these three weeks, then you
might as well keep your pipe and slippers to hand, because you
won't be doing anything more interesting in the near future.
So to summarise, if you are apathetic, simply go back to your
mochaccino now (this next bit isn't for you). For everyone else,
start your preparation today; profile your organisation and
understand the real risks. Then pull together some sensible
solutions and ballpark budgets to address them.
And finally, the next time that your organisation is struck by a
compelling event, you can simply set out your stall. You'll be
thinking comprehensive solution, they'll be thinking magic-bullet,
and everyone should end up living happily ever after. Well,
everyone except the VP of hospitality who (after reading an article
in an in-flight magazine about security) was hankering after a
puce-coloured security appliance for the datacentre