June 04, 2003 (Computerworld) For some organizations, the recent spate of worms and hacking attacks has suddenly made security front-page news. For other organizations, security has been a multiyear journey, not toward a destination, but as a means toward greater discipline and attention to technical and business integrity.
For all, security means making changes: changes to the software development life cycle, to the desktop environment, to network architecture and remote access, and to business processes. If you’ve been in the IT business for 10 years or more, you have probably seen these changes.
Before you can make changes, you have to know what to change. What things in your organization are being built, run or performed the way they were 10, five or just three years ago? While the guiding principles of security best practices are still pretty much what they were several years ago (and justifiably so), the ways in which they are applied are still changing and improving. Part of this is because threats are evolving rapidly, and part of it is because we are learning how to better protect our environments: The tools and techniques are improving all the time.
What’s wrong with information security in your organization? Unless you’re one of the lucky few, I’m sure there is plenty. Ask yourself the following questions:
- Is your remote access encrypted, and does it use strong authentication?
- Is customer information on your Web server?
- Are you keeping up with security patches?
- Has anyone taken a good long look at your firewall rules lately?
- Is anyone watching the logs on servers, firewalls and intrusion-detection systems?
Unless you or someone in your organization has the time to stay current on security issues and keep systems, firewalls, routers and everything else well configured, then your organization has a problem. Unless it is being regularly updated, any system or network device that was built and implemented more than two years ago lacks today’s best security practices in one or more areas. Sooner or later, a script kiddie or a disgruntled employee will find, expose and hurt your company.
Get Objective Opinions
If telling management that changes are needed feels like a career-threatening move, then a good solution may be to find some well-respected, objective information that can help them to understand that the status quo is leading them straight to catastrophe. This information may be in the form of articles describing best practices in layman’s terms or, at the other end of the spectrum, detailed findings of a security assessment. If management won’t consider even a small, focused security assessment, then you’ll have to rely for now on free or almost-free information.
Think carefully about situations in your organization. Are there any that can be mitigated with little or no investment, such as configuration or architecture changes? Prepare a case for reducing risk in a visible area that can be fixed without feeling like you’re trying to boil the oceans. Remember, small projects are more palatable and more likely to succeed than large ones. If you succeed, then perhaps you can address other areas of risk that are also in need of fixing. Be objective and analytical, and do your best to understand the risks that you see from the perspective of the people you work for.
It may be time to start tipping some sacred cows. Information security is making headlines. Senior executives — finally — care enough about information security to support the changes required to reduce risk. They are listening. Be heard.