For the CIO, however, the objective is to provide an appropriate level of protection for each IT service, achieving a balance between two costs: the certain cost of security investments themselves; and the potential costs of a breach. Security spend should be prioritized towards necessary, relevant and business-essential security initiatives. For instance, a key corporate application going down could potentially affect the entire enterprise. An email server crashing could make communications difficult for a proportion of the workforce. But a single PC failing will directly affect just a handful of users.
There is also a need to distinguish between threats and vulnerabilities that cause “normal” security breaches, which can be handled by technology and controls, and breaches that have high-impact consequences (directly eroding earnings or brand integrity by becoming public knowledge), which require special attention and meticulous care. Having a sound infrastructure is only part of the solution, however.
It is also vital to combine technology-based security measures with user education and behavioral changes, and to establish security policies that are rigorously enforced. Users need to understand, for example, not just why passwords must not be written down or shared, or why regular data backups are important, but also how to handle the threats coming directly to their PCs (usually via email) that could affect the entire network.
New Tools & Technology
Your community of business users may well include a number who are very technology aware, and who make use of a wide range of consumer devices and Web-based technologies they feel would enhance their productivity at work. BlackBerries, iPhones, instant messaging, VoIP, Internet-based file-sharing, RSS feeds, social networking sites, Twitter, blogs—these and more could all have a role to play in enhancing collaboration or information sharing in the working environment—but they would need to be integrated with existing business systems and security measures so the advantages can be exploited safely and securely.
Users’ impatience to see these tools installed may mean, however, that you have to deal with the potential security issues that arise from so-called “grey nets” or “shadow IT”—networks of applications and devices installed by end consumers that are not sanctioned by the IT department, and which may therefore expose the enterprise to unknown risk.
A serious security breach could damage your company’s reputation, brand image and competitive position, taking time and resources to correct, distracting resources from core business activities, and jeopardizing compliance. But most security incidents are not the result of a coordinated attack, rather they stem from simple human error.
Whether it is carelessness, or deliberate circumvention of “awkward” security policies, mundane everyday user activities present a significant danger. The trick is to strike a balance: protecting against security risks without unnecessarily affecting business operations.
James Menendez is the VP and general manager of Global Security Solutions (GSS) within CSC’s North American Public Sector (NPS)―Enforcement, Security and Intelligence division. In this role, he has executive oversight and accountability for the direction of information risk management service delivery across all global CSC markets and internal CSC systems and networks. Mr. Menendez is responsible for driving the development and delivery of GSS to commercial and public sector clients globally to include risk management consulting, systems integration, compliance management, managed security services, security outsourcing, and also including off-shore security service delivery.