News Stay informed about the latest enterprise technology news and product updates.

'Over' and 'under': The dangers of reactive security

Security pros are "overworked," "overloaded" and "overexposed" while remaining "understaffed," "underfunded" and "under the gun." It's time to think strategically.

NEW YORK -- Risks abound in today's enterprises and any moment a disgruntled employee, poorly trained users or...

a hacker can bring business to a screeching halt, causing huge financial and productivity losses. Proper planning and implementation can significantly reduce the impact of such events.

"Reactive security is like the little Dutch boy plugging holes in a leaking dike," said Computer Associates Executive Security Advisor Diana Kelley during an Infosecurity New York conference presentation last week. "Eventually you're going to run out of fingers."

Essentially, reactive security fails to protect, fails to respond in time, doesn't meet compliance regulations and is an example of overspending while under-protecting assets, Kelley said.

Infosecurity New York

Leadership 101 with Rudy Giuliani
The former mayor of New York shares his secrets to successful leadership in difficult times.

What challenges does 2005 hold for security?
Infosecurity New York conference opens with zero-day attack guidance from CSOs and a primer on leadership skills.

"It's a malware world and we need to protect our systems from it," Kelley added. For example, Computer Economics pegged the cost impact of the Blaster worm at more than $1.5 billion.

Citing 24x7 data centers, VoIP, next generation PDAs, "smart" phones and P2P's expanding reach, Kelley said such technology creates increasingly complex systems that need a more proactive approach to security. She offered six steps for organizations wanting to move toward a more strategic, proactive security model.

Step 1: Understand business and technology requirements
What is your business trying to do? What technology do you need? Are you geographically distributed?

Step 2: Understand the constraints
Think legacy systems, processes and policies. Mainframes, client/server applications, DOS-based applications. What is of value to your business? What's the cost of loss?

Step 3: Select the right technology
Technology is about getting business done. Build detailed requests for proposal based on the above requirements. Know what you need before you talk to a vendor.

Step 4: Build a plan
Based on the above information, create an action plan. Inventory and assign value to the assets and protect them around business needs. Buy-in from all interested parties is important.

Step 5: Test and train
Systems, applications and people have a tricky way of behaving in production environments. Before roll out ensure that the solution works within a relational context. Untrained users are one of the biggest vulnerability vectors. Get sign off. Consider "human" ways to engage the entire organization in the security process.

Step 6: Implement
Roll out new solutions and processes into production. Communicate changes clearly to affected parties. Manage and monitor effectiveness of the solutions. Use reporting and metrics as proof points.

"If you don't do all the steps, you're going to end up back in reactive mode," Kelley cautioned.

Kelley believes that security needs to undergo a cultural shift so that security becomes everyone's business. "Rome wasn't built in a day, but if we don't get strategic now we're going to be here again in five years talking about the same problems."

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.