Since early viruses were created (often transmitted by floppy disk) there has been an ever escalating challenge for those working in security to keep data and resources safe. This "war" is characterised by increasing technology on both sides of the divide. The attacks are becoming ever more targeted and sophisticated while the defence is becoming more complex and interdependent in order to protect against all possible threats.
What can be done? Every new patch, virus definition or spam profile that is applied has a decreasing window of effectiveness before it is compromised by a teenager in South America or Eastern Europe. In spite of this, most vulnerabilities do have a patch available before large scale attacks that can damage an enterprise start to occur.
The complexity of ensuring these updates are applied correctly into enterprise environments is what takes the time and costs the money. This is a level of complexity that is only increasing.
Add in all the systems to monitor what your user community are doing and all the intrusion detection systems and other monitoring systems and it all adds up to a big, complexity headache.
This sort of environment has built up over a number of years, perpetuated by a mindset of "see a hole, buy a product" and a zero tolerance, authoritarian approach to security. Bandages are applied in response to an urgent problem, but none of these bandages are refreshed as the health of the patient improves.
Controlling it all usually falls to a few extremely talented security professionals who are able to understand and manage the complexity. This is misaligned with accountability, which usually sits at an executive level. This mismatch leaves the organisation exposed and dependent on a small group of key staff.
Simplification is the key to transforming this situation, making it more sustainable and lowering risk. The first pragmatic step is to gain an understanding of the value of all the different assets, both tangible and intangible, that you are trying to protect.
Start by answering the questions: what are our critical assets? What are they worth to the business or a competitor? And, who might want to damage/steal/compromise it? This provides a good place to start and from here you can move on to classify the assets based on criticality. Once this classification is in place appropriate protection strategies, and access policies for each different category can be defined.
Once protection strategies and policies are defined, building and maintaining the infrastructure to police them becomes more straightforward. Sophisticated, leading edge, systems are still required to ensure that the critical assets are protected with watertight technology, procedures and access privileges, but this now has a much smaller footprint.
Less critical assets can be adequately protected by standard, well understood, technical systems wrapped in a protective layer of rigorous management, assurance and business continuity processes and controls.
Taking these steps will allow you to regain sight of the wood over the trees, unpick the complexity and ensure that your company is not splashed all over the media because of an embarrassing security lapse.
Matt Came is a performance improvement management consultant at PricewaterhouseCoopers and is a member of (ISC)2