NEW YORK -- Risks abound in today's enterprises and any moment a disgruntled employee, poorly trained users or a hacker can bring business to a screeching halt, causing huge financial and productivity losses. Proper planning and implementation can significantly reduce the impact of such events.
"Reactive security is like the little Dutch boy plugging holes in a leaking dike," said Computer Associates Executive Security Advisor Diana Kelley during an Infosecurity New York conference presentation last week. "Eventually you're going to run out of fingers."
Essentially, reactive security fails to protect, fails to respond in time, doesn't meet compliance regulations and is an example of overspending while under-protecting assets, Kelley said.
"It's a malware world and we need to protect our systems from it," Kelley added. For example, Computer Economics pegged the cost impact of the Blaster worm at more than $1.5 billion.
Citing 24x7 data centers, VoIP, next generation PDAs, "smart" phones and P2P's expanding reach, Kelley said such technology creates increasingly complex systems that need a more proactive approach to security. She offered six steps for organizations wanting to move toward a more strategic, proactive security model.
Step 1: Understand business and technology requirements
What is your business trying to do? What technology do you need? Are you geographically distributed?
Step 2: Understand the constraints
Think legacy systems, processes and policies. Mainframes, client/server applications, DOS-based applications. What is of value to your business? What's the cost of loss?
Step 3: Select the right technology
Technology is about getting business done. Build detailed requests for proposal based on the above requirements. Know what you need before you talk to a vendor.
Step 4: Build a plan
Based on the above information, create an action plan. Inventory and assign value to the assets and protect them around business needs. Buy-in from all interested parties is important.
Step 5: Test and train
Systems, applications and people have a tricky way of behaving in production environments. Before roll out ensure that the solution works within a relational context. Untrained users are one of the biggest vulnerability vectors. Get sign off. Consider "human" ways to engage the entire organization in the security process.
Step 6: Implement
Roll out new solutions and processes into production. Communicate changes clearly to affected parties. Manage and monitor effectiveness of the solutions. Use reporting and metrics as proof points.
"If you don't do all the steps, you're going to end up back in reactive mode," Kelley cautioned.
Kelley believes that security needs to undergo a cultural shift so that security becomes everyone's business. "Rome wasn't built in a day, but if we don't get strategic now we're going to be here again in five years talking about the same problems."