"Security is no longer a should-have; it's a must-have," says Jim Lima, channel marketing manager at Check Point Software Technologies.
All institutions face intrinsic risks as part of doing business. There are built-in risks in their operations and in their interactions with customers and partners. The recent flood of viruses, worms, and internet attacks has caused significant damage and massive loss of productivity within many enterprises. According to VAR Business Magazine "There will always be new viruses to eradicate and hackers to hold off." Moreover, the recent growth eruption in wireless technologies and communications has only exacerbated these issues. As a result, everyone is continuing to spend more to combat these ever evolving threats, yet security capabilities have often not risen to meet the needs of the business. Executives have to insure that they are getting their money's worth. Delivering a well-rounded solution is a well-orchestrated event, it requires the application of physical, logical and privacy boundaries to users, processes and resources.
Meeting the challenges
To successfully achieve the desired results, several steps need to be taken. The first recommended step is the creation of a virtual security team. This team should contain representatives from across all of the main functional areas of the business, from IT to HR to Legal to accounting. The main objective of this team is to develop a process to understand the risks and risk management processes of the institution. Working as a team, they will assist all functional areas to assess, detect, protect, correct and recover from security exposures in their IT and physical security environments. Full support from executive management should given to this team and communicated to all employees. They should also be given ample room to operate without fear of reprisal from their respective areas.
It may be necessary to engage a security consultant to get the effort off the ground, but this should not be totally left in their hands unless there are some unusual circumstances. A qualified team leader, directly reporting to a high level executive, should be put in place to coordinate the activities of the group, provide briefings and updates to the executive team and to interface with any consultants who are retained.
No security plan is complete without provisions for ongoing awareness training. Employees, vendors, and contractors can make or break the security of your network, and they should all receive computer security training when hired and thereafter annually. The training should explain the reasons for security and ensure that everyone fully understands his or her responsibilities.
Some employers have made security certification training a formal step in their workforce development programs.
Security is never absolute. There is no such thing as complete safety or complete freedom from doubt or fear - people and organizations always face risks. Some risks can be eliminated, some can be reduced, and some can be accepted. There should always be an expectation that any security can be breached. Therefore, vigilance should always be maintained. According to IBM security experts, "An organization is "secure" when it understands the risks, and is able to manage them so that, the costs used to reduce risk are commensurate with the expected business value". As an operator of business, you have to balance the cost of a security with the benefits to your business.
Russell Sarder is president and CEO of NetCom Information Technology