"No [company] is ever 100% secure," said Jack Phillips, managing partner of The Institute for Applied Network Security in Boston. Phillips spoke to some 200 IT executives at the CIO Decisions Conference 2006 held last week in Carlsbad, Calif. "You cannot eliminate risk altogether."
Just like a parent in denial, a CIO sometimes has to learn the hard way, with news delivered in the middle of the night.
"People are a little more confident than they should be," Phillips said. "They think they're secure until something happens. There's an illusion of security."
When it comes to security, the first thing CIOs have to learn is that no security policy and system can be perfect. However, it is possible to sleep at night knowing your system is "good enough," Phillips said.
When is enough enough?
You can't eliminate risk entirely, but you can lessen your vulnerability. Look at it this way: you lock the door to your house. It's reasonably secured. You could add a few more deadbolts to the door or maybe a second, locked screen door. Then your house would have more security, but in most neighborhoods a simple lock is good enough.
Understand, however, that if you're asking yourself if you have enough security, enough is a relative term and "comes in many flavors and shifts constantly," Phillips said.
The key to making sure you have enough security is conducting a thorough risk assessment. That process differs depending on size of company, vertical industry and types of data contained in the system, Phillips said.
Sam Young, CIO at California's La Sierra University, said his most critical asset is his school's reputation, which relies on making sure private information stays private. It's not so easy in an environment where users are increasingly computer savvy. "It's pretty tough to prevent people from hacking our servers when we breed hackers," Young said, echoing the sentiments of many technology executives in higher education.
Students are always finding new ways to get around a secure system, Young said, even though in some cases there are eight to 10 layers of security aimed at preventing breaches. From his viewpoint, Young figures he can never be 100% secure, given the rapid-fire rate that technology changes.
"There are always vulnerabilities," he said. "You do an MS upgrade and something comes up. The simple thing of a password -- people are sticking their passwords on sticky notes on their computers; VPs are giving them to their secretaries."
Accepting that it's OK to be "good enough" is a first step. After that, Phillips recommends the following risk-based approach:
- Start fresh: Go back into your organization and make sure everyone is on the same page as to what should be protected and why. Define a level of importance to the business.
- Evaluate and order critical assets. What are your organization's critical success factors? What are the critical assets required for success?
- Estimate your vulnerability level. Consider external and internal threats and estimate the probability of loss.
- Determine the best way to secure each asset.
- Determine how much resources will be spent based on the value of the assets.
"You decide your risk profile," Phillips said. "No matter how you cut it, [it's essentially] a roll of the dice. There's no perfect solution. Sometimes you just have to say, 'it's a risk we'll have to take.'"
Let us know what you think about the story; e-mail: Kate Evans-Correia, News Editor
This article originally appeared on SearchCIO.com.