CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Preparedness

Don't Forget the Basics

From the Editors of ITSC

It's all too easy to get caught up in the latest cyber threat, the latest point solution, or the latest technology. That's just the price of doing business in the accelerated world in which we live. But while CIOs do need to understand and master all of the cutting-edge issues, it is also important to bear this in mind: if CIOs don't also succeed in keeping a strong foundation of the basic principles of information security in place, cutting-edge successes won't suffice.

It's all about people

Individuals and organizations are fending off an ever-increasing variety of Internet threats on a daily basis. While technology can help protect systems in such an environment, no amount of technology alone can do the job. That's because the real story is all about people. And getting people to do the right thing is the hard part. CIOs know how to make our infrastructures secure, but people make mistakes.

Basic risk analysis

Prudent and effective organizations ensure that decisions to accept, transfer, or mitigate risks are made according to two criteria:

  • The decision maker has sufficient information to understand the risk (i.e., complex risks should not be managed based solely on financial considerations). And "sufficient information" means understanding the business ramifications of the risk.

  • The decision maker's scope of authority and accountability circumscribes the assets at risk (i.e., a business unit manager shouldn't make decisions about a risk that affects the entire enterprise).

That said, there are also legitimate differences in risk appetite between different decision makers: no combination of threat and vulnerability can be considered risky as an absolute. Risk is dependent on the business context and the willingness to accept risks. Discussing this principle with different members of the company lets them know the CIO understands and respects the authority that has been vested in them to make basic risk decisions, including those related to information security.

As the IT Governance Institute has observed with regard to the COBIT (Control Objectives for Information and Related Technology) framework: "Ultimately, management must decide on the level of risk it is willing to accept. Judging what level can be tolerated, particularly when weighted against the cost, can be a difficult management decision. Therefore, management clearly needs a framework of generally accepted IT security and control practices to benchmark the existing and planned IT environment."

Why this mini-lesson in basic risk analysis? Because too often, management decides to accept risks based on wishful thinking or because of misrepresentations by their staff. They don't really have an adequate grasp of what is at risk. It is the responsibility and challenge of information security professionals to help remedy that situation, and to drive security efforts toward business initiatives. Conversations with business managers often go much better if mutual understandings regarding some simple, basic principles are reached at the start. Finally, it's worth taking a second look at risk assumption decisions that were made over previous years. The current regulatory climate is raising the bar significantly, and what may have been a prudent risk decision in the past may not be today.

Needed: regular risk assessments

Here's another basic idea: "You cannot secure (or manage) what you don't know about." Think of all the irrational network infrastructures in place today that are the result of mergers and acquisitions. It's not uncommon for organizations of any size to have only a partial idea of what is participating on their network. Needed information includes hardware, operating system and application configuration information, as well as parameters for security controls. The network cannot really be secured unless you know what is on it and how it is configured.

All of which leads to the bottom line: institutions need to conduct a comprehensive risk assessment of their information systems and networks today. In fact, such assessments should be scheduled on a regular basis. CIOs have a duty to know what controls are on hand and whether they are working as intended and are compliant.

Ultimately, no control is perfect. In other words, risk cannot be driven to zero. Risk can be accepted, transferred, or mitigated, but no control is a silver bullet. The goal is simply to bring a tone of realism into the security conversation. It will be greatly appreciated by business managers in any organization.

Conclusion

CIOs and IT departments are being asked to do more with less, and to act more quickly and with greater impact on business success. CIOs are not only being asked to keep the business up and running, but to implement and maintain new capabilities that will enable the enterprise to pursue new opportunities, attack new markets, maintain competitive advantage, and more deeply embed customer relationships.

For these reasons, it is important to make a stronger connection with management in order to increase understanding of what is at risk. It is also important to make the case that risk isn't something that can be relegated to the IT department. CIOs must assert some basic principles as a foundation to a meaningful information security dialog with business management.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"It's not uncommon for organizations of any size to have only a partial idea of what is participating on their network."
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Public Sector Backup and Recovery
Playtime: 6 min 30 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service