IT security crisis management: looking beyond the magic bullet

The main threats that organisations and their customers are facing today are the same ones that have always been around: ignorance, apathy and poverty....

The main threats that organisations and their customers are facing today are the same ones that have always been around: ignorance, apathy and poverty. And the best thing that any organisation can do to reduce the impact of these, is to simply get the basics right. But you won't be able to do anything if you don't know your threats, don't have the appetite to address them, or don't have the budget to pay for the solutions, writes Martin O'Neal, managing director of independent security consultancy Corsaire.

Security for the business itself, or for its customers, is all about gaining a good understanding of the risks, and then building appropriate processes to ensure that they are balanced against the effort and cost of addressing them. Everything else is really just window dressing. For example, that shiny new security appliance that you were looking at last week (available in suitably bold primary colours) will not make your organisation secure. There are no magic bullets, only good sense and hard work.

And now we get to the nub of the problem, the typical board of corporateville. These busy people can, quite literally, talk for days about the colour of the latest product packaging (mauve or taupe, darling?), but when it comes to where those pesky credit card numbers get stored after you have taken your clients money, then they tend to be far less talkative. Until things go wrong.

Increasingly, the legislation and regulation that cover security are being given real teeth, to punish those who flout them. Punitive fines, suspension of trading facilities, and ultimately, members of the board can go to prison. And what would any busy person (upon finding themselves staring down the barrel of a punitive deadline), be looking for in their hour of need? You've got it; their gut instinct will be to bite the hand off the first magic-bullet solution that comes along. If you are the person responsible for security, the trick is to make sure that the particular bullet is one of your choosing (magic or otherwise).

The real problem with all this, I would say, is that the attention span of the typical board is about three weeks, starting from the last high-profile security event (be it a failed audit, a rogue employee, or a successful hack etc). And the biggest challenge is seizing this slim window of opportunity, and using it to your maximum advantage. If you don't get your plans in front of the board, and budgets signed-off in these three weeks, then you might as well keep your pipe and slippers to hand, because you won't be doing anything more interesting in the near future.

So to summarise, if you are apathetic, simply go back to your mochaccino now (this next bit isn't for you). For everyone else, start your preparation today; profile your organisation and understand the real risks. Then pull together some sensible solutions and ballpark budgets to address them.

And finally, the next time that your organisation is struck by a compelling event, you can simply set out your stall. You'll be thinking comprehensive solution, they'll be thinking magic-bullet, and everyone should end up living happily ever after. Well, everyone except the VP of hospitality who (after reading an article in an in-flight magazine about security) was hankering after a puce-coloured security appliance for the datacentre

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.