KISS Your Security Measures

B. Ostergaard

B. Ostergaard

Summary Bullets:

  • Pay attention to basic security procedures and attitudes
  • Explore quantifying the risk from an insurance perspective

Most attacks on most networks could be defeated with just four key strategies according to this year’s winner of the SANS Institute 2011 US National Cybersecurity Innovation Award – Australia’s Defence Signals Directorate: patching applications and always using the latest version of the software, keeping operating systems patched; keeping admin rights under strict control (and forbidding the use of administrative accounts for e-mail and browsing); and whitelisting applications. The basis of these recommendations is that security is a behavioral problem, not a technical problem.  In other words, if users don’t have the basic security procedures and the right attitude, no amount of technology investment is going to create the needed security.

So how do you, as the corporate head of governance, risk and compliance (GRC) processes, instill these key strategies into the organisation? Patching and constantly updating applications is not an easy or enviable task because corporate apps often interact with other apps that may not take kindly to patches or updates. Patching requires a lot of testing, and you risk irritating users who may find that their normal activities disrupted. Similarly with application whitelisting – many users want the right to deploy new apps to get their jobs done more expediently. Having to go through an IT department’s vetting process again creates a delay.

This gets us to the crux of the problem: how to define the business value of risk? If corporate users are made painfully aware of the possible economic losses stemming from ignoring obvious and straightforward security procedures, maybe their assessment of ‘wasted time’ will change as well. One way of doing such a calculation is to ask your insurance company to estimate the insurance premium they would charge you for indemnifying your financial losses that could be attributed to one of the above-mentioned four key strategies (you can obviously add other simple security blunders to the list).

CISOs will still face a plethora of different security risks they need to address, but wouldn’t it help a lot if such security measures were built on a reliable basic security processes and attitude throughout the company? I’m hopeful – after all, we have moved on from the security attitude of the early noughties where ‘real men didn’t make back-ups’.

About Bernt Ostergaard
As Research Director for Business Networks and IT Services at Current Analysis, Bernt covers the competitive landscape for system integration and IT service provisioning, and analyzing the managed security services across carriers and IT Service Providers. He brings with him a broad understanding of the competitive issues and environment that currently exists in the rapidly changing IT services and telco sectors.

What do you think?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: