May 15, 2006

How many Security systems do you need to feel safe?

Tony Lock:
Every CEO, CIO and IT Manager always puts “Security” close to the top of their long lists of IT related matters about which they are concerned. It is, however, interesting to note that in many instances “concern” does not translate into either action or investment. Why should this be so when the whole topic of security is rarely out of the news and at a time when the marketing of “security” solutions has never been more aggressive? A much more important question is ‘how many security related systems do I need to employ to make my IT infrastructure safe?’

The answer to the last question raised is two, neither of which is a technology. The secret to running secure IT systems demands firstly that people with appropriate knowledge and experience be given sufficient time and scope to understand the security requirements of the business and to determine the impact that these will place on the supporting IT Infrastructure. The second step is then to formulate appropriate work procedures, preferably based on industry best practice, to form the basis of routine operations.

If these two steps are taken, the organisation will then be in a position to decide just what technology solutions are required to support its security efforts. Security is all about doing the right things at the right time. It is not about having the latest, greatest piece of security software or appliances installed. The greatest security technology in the world will not secure anything unless it is administered well. Technology has a role in IT security and that role is to support good practice.

Joyce Becknell:
Tony has touched upon some really important points here, and I want to explore them a little more in depth. He believes that security staff needs to understand both the business requirements as well as the impact on technology – which is different than saying they need to know how to work the security into the technology. I think what’s important here, is the implication that these must be holistic, or architectural, or systemic people who are looking at the picture from a higher view and not getting caught up in the minutia. It seems to me that as an industry we understand that no one product is going to provide the consummate organizational security blanket, but the only alternative seems to be lots of point products oriented toward very specific technologies or developing a staff that understand the intricacies of encryption and legalese.

This seems to me a much easier thing to say than to do. I think there is an underlying issue here about the relationship between the business staff and the IT staff in any organization. As in all things, different organizations approach this differently, but it would be good to see some best practices emerging on how to approach this. There is a tendency to use financial institutions as an example, but I think they are not the norm that most organizations will use. However, it does segue nicely into Tony’s second point, that in addition to people who can view the overall picture, at an organizational level, processes and disciplines need to be put in place around that security. Which leads to the question- should most companies be focused more on people and processes now than on particular security products? I think most organizations are suffering security breaches now because the people and process side are not as advanced as the products they have in place.


Tony Lock said...

Tony Lock:
Joyce is correct; almost since IT began to be deployed on systems other than the Mainframe, a platform that remains to this day the most secure and reliable, ‘security’ has become more of an issue. Partly this reflects the fact that organisations are now almost completely dependent on their IT for many main line business operations. But in my opinion it reflects the fact that most systems enjoy nothing like the comparable processes and best practice experiences that have been developed to support mainframe operations. Change management and employing highly skilled and very experienced staff running sophisticated, well understood, and documented, processes are to be found at the core of mainframe operations. Little, if anything, is left to chance. Clearly the mainframe has excellent security features built into it at a technical level but without good management practices supporting its daily watering and feeding these would soon be overcome. Security is all about good practice in systems administration. Good technology plays merely a supporting role.

Tony Lock said...

It should also be recognised that not all IT and business systems require the same levels of secure operations. All systems are not of equal value and do not require similar levels of security to be applied. It is essential that organisations evaluate the security characteristics that each operational system demands in the light of business requirements. This allows security needs to be put into an appropriate and realistic context. Such knowledge must not ignore the well known, though frequently unacknowledged fact, that the majority of “threats” to the security or inappropriate access of corporate systems originate today inside the perimeter of the organisation, not outside the firewall.

jeba.talent said...

This web page has very useful stuff about share market