NEW YORK -- An enterprise that spends a small fortune on information security systems can still be brought to its knees by technology that's cheap and readily available, according to panelists at a recent conference. So, companies need to make sure their security spending focuses on areas specific to their business.
Panelists at an IT leadership summit hosted by Westport, Conn.-based Robert Frances Group Inc. also encouraged IT decision makers to communicate with their line-of-business counterparts to outline realistic security goals and to prioritize them.
"Be careful not to be a lone soldier, or [take a] bottom-up approach," said Anne Ferraro, vice president and regional information risk manager for JPMorgan Chase in Latin America. "Begin to collaborate, to work in unison to express the vulnerabilities and the reasons why you need the funding or why you need to implement solutions."
However, Ferraro and her fellow panelists sounded a familiar caution about IT security.
"You can never be 100% secure," she said. "It's impossible. Get that thought out of your head. … You would put your company out of business by spending too much money and too many resources."
And even if spending were not an issue, Ferraro said, it only takes one $10.50 modem to bring everything down around you.
A security expert who was not at the summit offered similar advice.
Today, the enterprise is better off mapping out the "right
"Set up [a] network on the Internet and you could probably reduce risk 80% to 85% -- not e-mail -- by just putting filtering rules on the router," Robertson said. "You already have the equipment, but you are reducing risk and not increasing spending."
Robertson also advised that an enterprise not necessarily focus on what may be considered the "best" technology available, because even the best $29,000 firewall may not focus on the risks specific to that company.
"Both firewalls are likely to reduce the risk by the same amount," he said.
Preston Wood, chief information security officer for Salt Lake City-based Zions Bancorporation, said that IT professionals should challenge how their company moves forward with funding initiatives, while being able to translate technology risks and vulnerabilities in business terms for company executives.
"How does this impact the business? What does this mean to the business? You need to translate these risks and vulnerabilities," said Woods, who sat on the risk management panel at the Robert Frances Group summit.
When IT is attempting to communicate with their company's executives, Robertson said, administrators should be up front about items like cost and how technology will place restrictions on the enterprise. Open communication is key, along with the ability to articulate the threats and knowledge of how to build out infrastructure.