Online Newsletter - January 2004

No Silver Bullet for Information Security:

By Todd Stephen,
Director, Information Security Services
 

Evolution of Security

Worldwide access to the Internet by organizations has created an advance in technology and business not witnessed since the Industrial Revolution of the 18th and 19th centuries. This advance, however, has given rise to a new and highly sophisticated security risk witnessed by countless individuals and corporations. According to the Whitehouse, property information theft comes at a price tag that exceeds 75 billion dollars annually.

Malicious hackers and corrupt internal employees are on a mission to break open the safe containing sensitive information. Their pursuit is fueled by financial gain, obtaining a client base, and prestige. The percentage of these incidents being reported to law enforcement remains low, therefore, attackers infer that the odds of being caught are strongly in their favor. This means more complex security measures are required to protect proprietary data.

Security is a Process, Not a Product

Simply put, buying the most recent tool, such as an anti-virus, is a valid attempt to secure information but will not adequately protect important assets. Security issues are far too complex and rarely solved by applying a piece of technology. Although there is no metaphorical silver bullet for information security, the most effective way to prevent a security breach is to have an organization evaluated in the context of their specific business. Almost all threats to security are rooted in organizational and business practices.

This evaluation otherwise known as a Risk & Vulnerability Survey will not be effective if conformed to a limited “bottom up” approach. To focus on the computing infrastructure and technological vulnerabilities, while ignoring risks to the organization’s mission and business objectives, defeats the purpose for overall protection. In order for the evaluation process to be truly effective, a company must pinpoint what needs to be protected, determine why it is at risk, and develop strategies that integrate both technology- and practice-based solutions.

A thorough and comprehensive Risk & Vulnerability Survey must:
• Incorporate assets, threats, and vulnerabilities
• Allow decision makers to ascertain priorities regarding what is important to the organization
• Include organizational issues regarding how people use the computing infrastructure to meet the organization’s business objectives
• Incorporate technological issues related to the configuration of the computing infrastructure
• Remain flexible so that it is tailored to meet each organization’s unique needs

Putting it All Together - Risk Management

Understanding threats and vulnerabilities through an evaluation or other means is only one component in an overall strategy of reducing risks, neutralizing threats, and strengthening an organization’s security posture. Information security is intended to ensure the confidentiality, integrity, and availability of information. Protection from threats that will arise from natural advancement of information technology is essential for the privacy of consumers, and the viability of businesses, governments, and the U.S. and World economies. A successful security program must integrate the various disciplines of security, constructing a layered defense and deeply rooted protection for an organization’s technological infrastructure.

The amalgamation of people, processes, and technology make it possible to create and maintain an effective security risk management program. The ramifications of an information security breach to any organization – domestic or international, public or private – are far too costly for management to underestimate the value of proactive security. For more information please contact Talon at the number below, or e-mail us at robynw@talonexec.com.