How to buy security

Iain Franklin explores the practical side of planning for and buying security, what it means for an organisation, the questions to ask and methodologies that can be exploited when embarking on a security infrastructure revision.

Traditionally, IT security has stopped at the perimeter of the business, but this is changing. Businesses are also starting to understand the impact of poor security on their business continuity. Buying security poses a very unique set of problems, as there is no direct financial benefit to the organisation in the eyes of most financial officers. Security is an insurance policy and ensuring budgets are accepted involves research, planning, education and a certain amount of tenacity.

The importance of security has risen up the corporate agenda, but so have cost cutting and revenue maximisation. Security's position on the agenda has largely been driven by the technology's place as an integral part of daily business life and the negative media coverage received by those that have fallen foul. In the past, computers were used for internal tasks that did not directly impact the organisation's ability to function. However, modern computer systems touch on every aspect of a business; tangible and intangible.

Risk assessment
Before a company can begin to review IT security provisions, it must understand exactly what needs protecting and the risks the business is exposed to if insufficient provisions are put in place. Vulnerability and risk assessments are essential to expose areas of weakness and identify process and contingency failings with any number of disaster scenarios. This may not be a task that you are equipped to manage internally, so budgeting for this may be a prudent decision. Without risk assessment you will not be able to make cost effective decisions further down the line.

Data is key
It is no longer a case of simply protecting the computer system and ensuring users can access their e-mail. What actually needs protecting? Start with the data and understand that this is the centre of the organisation and the point at which all information is stored and extracted. The value of this intellectual property increases with each day as it is becomes more refined and continues to grow. Understanding how this property is dispersed across the organisation is vital; how many offices are being protected, how geographically spread are they and will there be a need to protect data on different architectures and platforms, such as Unix/Windows and wireless networks?

The UK Data Protection Act clearly stipulates that the directors of an organisation are held directly responsible for any misappropriation of data held by the company, and are liable for prosecution. It is vital that you ensure that the board is aware of this fact during the security review process, as it may become an encouraging factor when seeking an appropriate budget!

In addition, security, or rather a lack of it, can affect less tangible business assets. Share prices are often affected by web-defacements or media coverage of hacked e-commerce sites. Customers will not shop with you if confidence in the safety of the web-site is in question. Ultimately, an organisation's reputation is key to its success, totally intangible and very hard to repair once damaged.

Designing a strategy
Of equal importance is understanding where the company's future lies. Although this may seem obvious, and is taken into account when preparing an umbrella IT strategy, the specific security implications of the corporate strategy can often be overlooked. It is highly likely that there will be new ventures, such as the increasing virtualisation of the business through home working, or a planned expansion that will impact the way IT is being used within the organisation. Having a clear understanding of corporate strategy is essential when designing a security strategy that will evolve over a number of years, rather than need replacing in two.

It is clear that understanding the reach that security has within an organisation is key to ensuring that all the relevant resources are utilised when beginning a security review. Once all the necessary background information has been collated, a true picture of the organisation will emerge and the strategy required to meet future security needs will start to suggest itself.

Formulating the security review itself must not be restricted to a hardware/software shopping list. This is a common mistake, which can result in weak security provisions. A layered approach should be adopted when defining the details of the review. Firewalls and anti-virus software will always be an essential part of any security provision, but are not sufficient to constitute an effective security strategy within modern organisations. Layering security products will create a much deeper defence mechanism. For instance, techniques such as intrusion prevention software, biometrics, smartcards and swipe passes work in different ways and at different levels that combining them creates a much stronger security infrastructure.

A layered approach will involve looking at policy, hardware, software and education to ensure that an effective strategy is formed. When considering the areas to be reviewed it is important to bear in mind that the organisation's security is only as strong as its weakest link.

Users are often the weakest link
The most difficult to control and often overlooked aspect of any security infrastructure is the human-firewall. No matter how solid the defences implemented, users will ultimately be the weakest link in the chain. Educating them on the implications of writing down passwords, or setting software to remember passwords is only part of the problem. This process of education must be on-going and form an integral part of every new employee's induction and departure.

Educating users on the issues surrounding mobile computing is critical to protecting those elements of the corporate network that go out into the public domain every day. Laptops and PDAs hold a variety of information, provide access to e-mail and other network resources, even an opportunist thief could benefit from information stored in a poorly secured device. It is particularly difficult to enforce standardisation and policy amongst PDA users, as they are usually the owners of the device. Because owners do not see the PDA as a computer, they are much more careless with them than they would be with a corporate laptop.

In-house or outsourced?
So, having put a plan in place to educate the users on the importance of security, the next step is to take a good look at the expertise available in-house. It's very tempting, if resource is low, to look at a managed security service but this should be considered with a great degree of caution. For trusted security, it is better for a company to keep the function in-house. Most people outsource security because of a lack of knowledge or resource within the company without really comprehending that they will still need to become involved at a certain level.

The really important thing to note when considering whether or not to outsource security is to appreciate that it does not remove responsibility from the outsourcer. Any business remains ultimately responsible for it security and protecting its information and assets. The one consideration should always be: which method will keep the business more secure?

Presenting to the board
By the time you get to the stage of actually writing the security proposal, which will be presented to the board, you will no doubt be buried in a deluge of information. Ensuring this is laid out in a clear and concise way is important, but the most important thing is to take time over writing the executive summary. Remember who the audience is: the board will not have the time or inclination to read a 50-page proposal containing misuse policies and disaster recover plans.

A key issue for any organisation looking at extending or implementing security measures is always going to be budget. In the current economic climate, management teams and corporate boards generally require metrics, particularly return on investment (ROI) statistics. But when putting your proposal to the board, you must make them understand that it's futile trying to calculate ROI for security products. A thorough risk assessment should be the basis for any investment in security. When considering security spend, companies must think about the consequences of a security breach - the greater the harm that might result, the higher the security levels need to be.

Another important budgetary consideration is training. Will you need to train your staff in how to use new systems? Have you the expertise to do this in-house or will you need to use outside consultants? Don't forget the costs of training and educating the staff generally within the organisation - will you need to run seminars, or produce guides to help them understand the issues?

Once you've looked into all these aspects, you should have a good idea of how your security policy is shaping up. Once you know that, you then get a clear indication of what needs protecting, which types of product you need and how to deploy them. Presenting this information in a clear and concise way will be the secret to securing project go-ahead. Take as much time on preparing documents and considering the audience as you did on research, if not more. The proposal document and any presentations are the sales collateral that will determine whether you are successful. Poorly thought out projects are often approved because of great proposals, but it rarely works the other way round.

Top ten questions to ask yourself when buying security
1) Do you know what you need to protect?
2) Do you know what you are protecting it from?
3) Have you completed a risk assessment?
4) Have you researched the legal obligations of your company?
5) Does your security strategy mirror your business strategy?
6) Have you considered the training implications for users?
7) Do you have appropriate skills and resource in-house to fulfil the project, or do you need outside help?
8) Have you planned for the use of mobile technology within the organisation?
9) In-house or outsource. Have you thoroughly investigated all the options?
10) Unlike other IT projects you can't use ROI metrics to secure security budget. Have you got the right kind of evidence to support your case?

If you can answer all these with a 'yes' then you are ready to take your presentation to the board!

Iain Franklin, is European vice president of Entercept Security Technologies.

•Date: 14th April 2003 •Region: Worldwide •Type: Article •Topic: ISM
•Rate this article or make a comment - click here