Many companies' current IT security policies are incomplete, ad-hoc and reactive, despite its high profile in most organisations and the resources invested in the area.
Furthermore, communications between partners compromise IT security and the need to secure information in transit to partners is rarely adequately considered.
Most IT departments strive to protect their company's information with firewalls, permissions and passwords, possibly combined into some sort of security policy. However, these practices and policies are often ad-hoc - reasonably complete for some applications and processes, but dangerously incomplete for others.
Changing business priorities and processes can result in quick-fix solutions to communications problems, implemented at a departmental level, which further degrade a business' IT security and its ability to manage and control that security. How do you secure communications if you do not know they are happening?
Viewing an organisation as a single entity is increasingly inappropriate in the current business environment. Businesses operate as part of a value network composed of multiple trading partners and they have multiple entry and exit points to their systems. IT security is becoming stretched to monitor and secure both the gateways to networks and the trading partners that use them.
What is more, ever-increasing levels of e-business and information sharing mean those charged with securing business-critical data also need to consider the possible threats to that data after it leaves their systems. Companies may believe their intellectual property and competitive intelligence is highly secure, but if they are trading with a compromised partner then their data is at risk.
As businesses collaborate and share more significant amounts of data they need to consider their partners' credentials and the data transmission methods they employ. IT directors must realise that effectively securing systems can only be done by considering security needs throughout multi-enterprise business processes, rather than just through an insular view of their organisation.
But how can businesses secure their information resources without constraining their business processes and their ability to compete successfully?
Security is not binary - on or off, secure or not secure - but analogue - varying degrees of security can be applied. Businesses must assess the risk associated with particular information transfers, ie the impact to the business if the security of that transfer is compromised and allow this to drive their security decisions.
IT departments must leverage a more intelligent, risk-based approach to IT security to meet the communications needs of the business and its partners, quickly and effectively, while also ensuring that appropriate security is applied. If the right way is too difficult, people will find a wrong way of their own that meets their immediate business needs.
Chris Hayes is solutions manager at integration software supplier Sterling Commerce
This was first published in April 2004