What businesses really need in security technology
It's easy to get confused when you review the myriad security solutions on the market. Don't worry about thwarting every possible risk, experts say. Instead, focus on the information you most need to protect.
In Summary:
| • | Determine whether your existing security solutions can handle new threats. |
| • | Choose automated tools whenever possible to minimize total cost of use. |
| • | Focus on data that poses a high financial or regulatory risk if it is compromised. |
Lax security can lead to business disaster, but worry is no basis for your company's security strategy. In June 2006, Neil MacDonald, vice president of Gartner, told attendees at the technology consultancy’s annual IT Security Summit that companies of all sizes spend too much on network security. By 2010, he predicted, only 10 percent of emerging security threats will be so different from their predecessors that they will require new products to block them. Yet companies continue to buy new products to defend against threats that their existing security solutions could handle.
Midsize companies with limited budgets need plug-and-play security with minimal need for manual analysis or intervention, says Ken Zolot, a senior lecturer in entrepreneurship at the Massachusetts Institute of Technology's Sloan School of Management. Choose intelligent tools that watch for suspicious activity and act automatically when they identify it, he advises.
If you discover gaps in your security strategy, ask your vendor to connect you to other companies with similar concerns so you can create reasonable benchmarks, suggests Alan Coburn, managing consultant at DNS, a Microsoft Gold Certified security services firm in London. If MacDonald's prediction is correct, you might discover you can solve problems using the technology you already have.
Work from the inside out
Most companies harden their network perimeter first, then secure applications and lock down actual data last—even though data protection is the reason for network security. That's why Zolot, who designed the basic Internet security architecture still used by much of the global financial services industry, says it's time to "declare defeat on surrounding the perimeter" and "focus on protecting key information" instead. For example, software that tracks and reports on database-level access records can spot attempts to break in from the outside. It can also identify legitimate but unusual data use that suggests an internal security breach, such as a pharmacist who places a suspiciously large order for narcotics.
To determine which data to protect first, take a risk-based approach, Coburn advises. Ask yourself what types of data are most critical to your company's revenue, reputation, or regulatory compliance, and how vulnerable that data is. Focus your investment on situations where the probability of attack is highest and/or the consequences worst.
Most important, Coburn concludes, don't succumb to paranoia. "If you spend $100,000 on security but the assets you're protecting are only worth $10,000, wouldn't it be better to invest that money elsewhere?"
 | Fawn Fitter is a freelance writer in San Francisco who specializes in business and technology. She contributes regularly to the Microsoft Midsize Business Center. |
