Building a Roadmap for Securing Your Enterprise
This chapter will arm you with the guidelines necessary to survive the information security onslaught. The odds are stacked in this battle, and not in the favor of the defenders. If there is to be any hope of coming out of the war victorious, you need a serious strategy. This chapter is designed to give you an introduction to that strategy in the form of an information security roadmap.
Proactive Versus Reactive Models
We have a saying in the consulting field in regard to IT security spending: "The easiest client to sell security services to is the one that just got attacked." Unfortunately, the statement is as sad as it is true. The simple fact of the matter is that most organizations only react to security threats, and, often times, those reactions come after the damage has already been done. For example, patching your legacy systems after an intruder has already stolen your customer records won't help regain consumer confidence. Starting a log monitoring effort after a contractor has sent your research and development data to an overseas competitor will not bring back your competitive advantage. Convincing executives to encrypt their high-value data after their laptops have already been stolen won't reverse their earlier mistakes.
Although all these tactics are positive and encouraged courses of action, they don't stop the problems before they occur. It is for this reason alone that, when operating in a catch-up mode, security programs will only be marginally successful at best. The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you. By defining and organizing the information security effort beforehand, organizations stand a chance against the seemingly endless onslaught of security threats in the world today.
This is, of course, easier said then done. However, if pro-active security measures are done right, there is a light at the end of the tunnel. You'll want to perform the following tasks to launch a pro-active security program:
Understand where the corporation's assets reside
Reduce the number of vulnerability and exposure points
Secure systems and infrastructure equipment
Develop, deploy, and enforce security policies
Develop, deploy, and enforce standardized OS configuration and lock-down documents
Train administrators, managers, and developers on relevant areas of information security
Implement an incident-response program
Implement a threat-identification effort
Implement a self-audit mechanism
Educate, educate, educate, and educate
By getting these efforts off the ground, you can help place your organization in the driver's seat, and help reduce the amount of time you spend chasing your tail.