Your organization is looking to you, the IT manager, to implement a security strategy that will protect the business and its customers from attack. How effectively and proactively you respond can have an impact on your career. Success hinges on establishing policies, procedures, and good communication with business managers.
If you understand what's important to the organization and why it's important, you can create a set of priorities.
James Quinnild partner PricewaterhouseCoopers
In Summary:
•
Develop a clearly-defined strategy that incorporates business stakeholder participation.
•
Develop a framework for managing security, through policies, procedures, schedules, and checklists.
•
Emphasize training and communication.
By now, most IT managers and CIOs recognize that security is one of their top job responsibilities; threats and attacks have become almost commonplace. According to the 2005 FBI Computer Crime Survey, 87 percent of U.S. organizations experienced some type of security incident in 2005. Nearly 20 percent of organizations surveyed encountered 20 or more incidents. Meanwhile, a PricewaterhouseCoopers, CIO, and CSO study of senior executives in 50 countries found that only 37 percent have an overall security strategy in place.
In today's fast-changing and often risky business environment, it is critical for IT to effectively secure systems — a process that's both costly and time consuming. Yet, at the same time, IT managers are expected to enhance worker productivity and implement new technologies that drive competitive advantage for the business. By adopting an organized approach to security, you will spend less time cleaning up messes, and more time helping your organization meet business goals.
Review patch levels for hardware, software, and network devices. Ensure that the organization has a policy and tools in place to stay current and protect systems.
•
As much as possible, consolidate security activities through automated tools. For example, Microsoft Windows Server Update Services helps administrators manage and deploy updates across an organization while providing advanced reporting capabilities.
Conduct a detailed review of logs, reports, and metrics. Use the information to identify gaps, problems, and best practices. Use industry metrics and general benchmarks whenever possible to gauge performance. One helpful source is the Center for Internet Security, which offers an array of tools, many free of charge. These cover everything from minimum care levels to advanced mobile and enterprise benchmarks for Windows XP Professional/Server 2003 and other applications.
•
Provide updates about emerging or ongoing threats for IT staff and security specialists — and as needed, for employees. For example: Application developers should understand how a hacker can exploit vulnerabilities in code; employees should understand how attacks occur, and how to prevent them.
Conduct a thorough analysis of security logs and other data to determine how quickly your organization responds to threats and patch updates, and where you can improve. By viewing when events take place and how and when staff responds, you can gain deeper insight into slow responses and other potential problems. If needed, adjust policies, procedures, and staffing as required.
•
Conduct a detailed analysis on any incidents and review the overall security infrastructure.
•
Review business processes and systems to identify flaws, such as un-patched systems and insecure instant messaging, which could lead to repetitive security problems.
•
Hold regular briefings for business leaders within the organization, and make sure all departments contribute to the security plan. A "security evangelist" should oversee various constituencies and ensure that appropriate feedback is flowing back to the IT staff.
A successful plan requires structure and business collaboration
To be an effective leader in security, IT must understand how to communicate with the business, and encourage stakeholder participation. If you do these tasks well, you will achieve greater compliance with security policies, and have a plan that meets your organization's business requirements.
Here are some tips to get started:
•
Align the strategy with business requirements. "If you understand what's important to the organization and why it's important, you can create a set of priorities," says James Quinnild, a partner at PricewaterhouseCoopers in Minneapolis and a leading authority on IT security. For example, a bank with customers in four different countries needs a security policy that can adapt to each country's specific regulations. Obtaining this information requires input from business leaders across the organization and a willingness to coordinate policies and solutions.
•
Build a security foundation from the start. Too often, says Karl Levinson, a senior security analyst at Apogen Technologies in Washington, D.C., business leaders simply deliver a customer relationship management or enterprise resource planning project to IT. "Security becomes an afterthought," he says, adding, "At that point, it's too late and too expensive to do it right." It's essential to have an advocate or security evangelist in place to facilitate interaction and communication among various business units and the IT department. This person must solicit ideas from various departments and factions, hold regular meetings, and keep key individuals informed on security initiatives and goals.
•
Adopt an organizational framework for managing security. One of the biggest problems companies face, says Anil Desai, an independent IT security consultant based in Austin, Texas, is a tendency to react to problems versus making a plan to manage security. As a result, IT staff is constantly putting out fires — which makes it difficult to find time to plan ahead. Desai, who is a Microsoft Most Valuable Professional, suggests creating checklists and schedules for managing security tasks. As well, assign specific tasks to IT staffers to ensure accountability. For instance, if you have a staff of five in your IT department, you might delegate the following duties to separate individuals: backups, updates and patches, e-mail and messaging monitoring, network monitoring and access management, and business alignment activities.
•
Make training a priority. Many IT generalists aren't particularly knowledgeable about security. And even for those who would be considered experts, it's tough to keep up with the constant barrage of threats. "Everyone within an organization must understand how they impact security," Quinnild says. Security education should include targeted training on threats, policies, rules, and procedures. Consultants, conferences, and industry newsletters can all play a role — though they often prove costly. Web-based resources such as the Microsoft Midsize Business Security Center, Microsoft Security home page, and SearchSecurity.com provide a wealth of free content and tools.
A secure environment requires a sound strategy and smart tactics: plan well, monitor regularly, and act quickly if something goes awry. IT managers who prioritize security and devote the time and staff to manage it effectively are more likely to achieve success — for their company and their career.
Samuel Greengard is a West Linn, Ore., writer whose articles have appeared in AARP, American Way, Arrive, Business Finance, Industry Week and Wired. He is a regular contributor to the Microsoft Midsize Business Center.
