One mistake many organizations make in the area of information security is to assume that by applying more technology, they will keep their enterprise more secure. Rather than push the need for more security, companies should focus on “effective security”—where you evaluate your current position and then design and build a security approach that fits the needs and budget of your organization.
This holistic view of the organization’s security state provides a great starting point for mitigating security risk in the enterprise. Then, once the security risk assessment is complete, companies can architect, design and implement a solution that fits the needs of their specific business.
Don’t Rely on Retrofitting – Retrofitting security is rarely possible without having to redesign substantial parts of the system and, in almost all cases, retrofitting will be very expensive. Security must be an integral part of the system design from the start, not an afterthought.
However, retrofitting can solve tactical problems by filling in holes in an existing system but, it can create new strategic problems as well. To balance benefits against cost, companies should look to integrate solutions within an existing system but be prepared to make the strategic investments to create a secure system that will last over time without requiring any retrofitting.
Really, one statement says it all, “Security is not something you buy, it’s something you do.” It’s a process used to maintain quality for a business’s IT systems, like scalability or availability. With the right process in mind and the right technologies to support these qualities, companies can maintain a holistic view of overall goals, security’s role within those goals, and develop a coherent execution plan.
Ace Swerling is the security director for Avanade, a global IT consultancy, focusing on Avanade’s Identity and Access Management business along with Core Security. He invented an architectural concept called Enterpresence to join identity, security, and SOA applications. This is a core tenet of Avanade’s application development methodologies. Ace worked in Microsoft Consulting Services prior to joining Avanade six years ago. While there, he was considered a SME on Windows and AD. He is also an Exchange Ranger.