|  |
A brave new Europe?
The Changing Security Paradigm
Essentially, organizations are investing in IT security in an attempt
to protect corporate assets and mitigate risk. To achieve these
goals, however, organisations need to both identify the assets they
are trying to protect and the level of risk they are willing to bear on
those assets. By examining the risk factor according to business
principles, organisations are better able to determine which assets
are most valuable to them and how much they should spend on
protecting them. This solution-based view of security has
subsequently led to demand for services around consulting,
assessment and management to address security risks.
Increasingly, organizations seeking competitive advantage from
investments made to extend the enterprise will need to move away
from a reactive into a more proactive mindset by designing a
security culture that addresses the longer-term objectives of their
business.
Asset Optimisation Versus Risk Mitigation
Without question, as more and more business opportunities lie
"outside the firewall", security needs increase as companies open
their internal business processes to outsiders. This fact will force
companies to develop a more holistic approach to security and
it will push the demand for security expertise to deliver an all-encompassing
solution based on business need – not the reverse.
What is the holistic approach to security?
Holistic security means making security part of everything and not
merely a separate function. This bottom-up approach ensures
security isn't merely added to the enterprise; it becomes embedded
in all processes that enable business goals to move forward. Rather
than a necessary cost, in this way security becomes an enabler.
This has been driven by the need for enterprises to expand ‘trusted
relationships’ with customers, partners, suppliers and channels. To
improve security you will need to know more about who is being
authorised and what they are authorised to do as well as have
a level of assurance that all of this is being done properly. For
instance, as security becomes ubiquitous, people will improve the
processes that allow them to work more productively.
IDC's ongoing research amongst IT managers from establishments
actively engaged in e-business reveals significant security solution
"critical decision factors". These factors are a reflection of the
effort to balance widening access and effective security. These
include:
- Protecting assets from hacking by avoiding embarrassing Internet exposure and maintaining reputation.
- Integrating the security infrastructure by ensuring that the typically wide range of security products work together seamlessly and without excessive administration overhead from a single point of accountability.
- Enabling widened access to formerly "inside-only" content and applications to valued stakeholders while preventing unauthorised access both externally and within the organisation by ensuring valid credentials.
- Supporting e-business openness by ensuring that security does not block key business objectives with, for example, ease-of-use issues for external users or time-to-market delays for e-commerce business managers.
What's needed, then, is a roadmap for developing a holistic
approach to IT security not looking at IT security as a set of
isolated tools designed to address specific issues as they arise, but
rather as a total solution, which considers all aspects and addressescorporate/organizational imperatives for business continuity,
confidentiality and privacy, among other things. This brings security
into the bigger picture of risk assessment and management in
general. More specifically, a typical enterprise must address three
distinct yet interwoven risk areas;
- Physical Security
- Information / Transactional Security
- Business Continuity
While this study sets out to address information security only, it is
nonetheless essential to keep in mind security is part of a “greater”
picture and as such, can move issues out of the IT department
alone.
Where do I begin?
The place to start then is by undertaking an evaluation of risk both
prior to implementing security processes and solutions, and on
an ongoing basis afterwards. In formulating a proactive plan
necessary to implement effective IT security, many professional
security product and service vendors recommend a risk assessment
exercise in order to identify assets, threats and vulnerabilities, and
to develop a risk-minimized posture. In this way, the scope of the
risk at hand and resources needed can be earmarked. By extending
this then to the strategic goals of the organization, a plan can
be drawn up to prioritize the move towards holistic security in a
step-wise manner.
European organizations need to ensure that investment decisions
are made as a result of co-operation between the business side and
the technology side, that is between the CEO and the CIO. Because
key issues around security investment are more strategic today
rather than the technological push of only a few years back,
support of top management, including the board, is crucial to the
success of any security initiative. This is particularly the case when
considering the overall size of security investments. In general,
as security moves from point solutions to holistic solutions, they
quickly “outgrow” the decision making of IT departments in
isolation. While technology may be the facilitator to a desired end
state, it is overall senior management attention that will ensure
strategic alignment.
The study now strives to reinforce the above views by looking
at technologies, solutions and selected practical examples in the
market today. To this end, the remainder of the white paper is
divided in two distinct sections:
- Laying the Foundation looks at the here-and-now with security implementation levels today and solutions to address asset protection and secure access.
- Future Outlook then looks towards the design of new processes and future enablement most notably secure e-business and partnering.
To be continued in the next weeks...05/2004, IDC / Steria
An IDC White Paper commissioned by Steria.
|
Subscribe to the newsletter | | |
More articles on this topic | | |
|  | | Webroot Software and EarthLink released their second SpyAudit Report, which tracks the growth of spyware on consumer PCs... | |  | | A fast-moving worm attack exploits the latest vulnerabilities identified in Windows. Enterprises must budget now for intrusion detection for all Windows systems... | |  | | As electronic communication vehicles like e-mail, instant messaging, and Web conferencing continue to grow, organizations will need to create a secure and low-cost infrastructure to tackle new challenges... | |  | | Employees working in IT security should not firewall off their own lines of communication. While technical skills are relatively easy to measure for IT security staff, managers need to place a greater emphasis... | |  | | The number of spam messages worldwide has grown an astonishing 115% from 15 billion in 2003, to 35 billion spam messages in 2004. In many cases, both corporate and consumer mailboxes are protected by more than one anti-spam solution... | |
|  | | Wikis have become an attractive alternative in content management. Whereas the structure of content in "real" management environments must be defined in advance, a wiki entirely adapts itself to meet content requirements... | |  | | It is only a small percentage of Web content that really makes a difference. It makes the sale, delivers the service, and builds the brand. This is the killer Web content... | |  | | Creating a content management system either from scratch, or using pre-existing building blocks, may sound like the ultimate way to get the exact solution you require. However, where there is light, there is also shadow... | |
| | | |
