Six months on from Sept. 11, corporate and private worlds have re-visited the risk management strategies they have (or in many cases, have not had) in place for both cyber and physical realms. Even various countries are re-examining their overall security plans to ensure that they are doing the best they can to protect their citizens, their physical assets and their Internet-dependent infrastructures.
In April at the Techno-Security Conference in Myrtle Beach, South Carolina, experts from private organizations, as well as U.S. federal, state and local governments, will meet for a Homeland Security Summit to discuss appropriate defenses. At interactive sessions focusing on both law enforcement and technology issues, summit participants will review the challenges and solutions faced in the wake of an unthinkable act of terrorism; examine threat and vulnerability analysis techniques; go over training, law enforcement and first responder issues; discuss ways to protect critical information systems and the infrastructure the U.S. depends on; and appraise some of the lessons that can and should be learned as the world continues moving forward.
While this summit is one of many such brainstorming meets that will have taken place since last autumn, there is still tons more needed to get moving on establishing proper precautions, policies, technologies and more, to enhance logical and physical security. This fact has not been lost on the more forward-thinking organizations trying to prepare for the absolute worse in Internet and real-world attacks. Still, there are many more still in the midst of discussing these plans as they wait in vain for the funds to execute them.
According to many analysts, even though IT budgets are either decreasing or leveling off this year, the amount of money allocated to IT security is often rising. Although this may hold true for some lucky organizations - which number in the high range compared to the various tight-fisted companies of last year, there are a host of others that are tasked with doing with what they have. That is, they must find ways to move around money like chess pieces to ensure that they are able to make whatever moves they can to secure their networks, their buildings and their people, according to other experts.
Whatever the fiscal situation with which IT managers are confronted, companies do not necessarily need more money to throw at a problem that is often fixed with a band-aid approach, say most IT security pundits. In order to constantly maintain the integrity of their informational assets, companies must be implacable in planning and managing their infrastructures.
"The simple answer is to have in place a security process and use tools that allow for continuous and regular updates," advises Amer Deeba, vice president of marketing for Qualys. "Unfortunately, many security products require expensive software installations and a lot of in-house security expertise, which often is not feasible for small companies or enterprises with a limited security budget."
To answer the growingly worrisome problem of lacking expertise, training organizations are trying to do their part, as well. In addition to the strong training programs put forth by SANS, CSI or MIS, (ISC)2 has created its own (ISC)2 Institution to meet the demand for seminars that prepare professionals for the certified information systems security professional (CISSP) certification. Just in 2001 alone, worldwide demand for the CISSP credential grew by about 134 percent, says (ISC)2 Managing Director James Duffy.
As for the problem of having a process, a plan in place, experts advise that there is more to it than just setting forth some rules and steps to follow. It is more than just establishing a business continuity plan once, then putting it away to collect dust without testing and re-testing the plan to ensure that it works.
"Most companies are aware of how a business continuity plan will benefit their company, however, many are still not prepared to set aside the necessary resources to implement and, more importantly, test the plan," notes Richard Davis, sales director with HarrierZeuros. "Since Sept. 11, we have spoken to companies that had business continuity plans drawn up as far back as 1997, but hadn't thought to set aside the budget to review them regularly. Consequently, upon further investigation some of the plans have proved worthless, as they bear no resemblance to current business."
Keeping security, business continuity, disaster recovery, end-user and other policies or plans current with the business of the day is what it's all about. And action is what it takes. Yeah, we're facing a tough economy - one that is supposedly moving away from the dusty black skies that were left after the WTC towers collapsed. Yes, we have a lot of catching up to do in more areas than security since the passing of that day. If there was anything proven by the Sept. 11 events it is the need to secure everything - IT infrastructures, physical buildings and, most importantly, people - and to plan for the blackest of brain wanderings. Security has never been given such attention as it is given today. Now, this aspect of all our lives demands the money, resources, planning and time. It's all about actions; it's all about now.
Illena Armstrong is U.S. editor of SC Magazine (www.scmagazine.com).