By: Subash Warrier, CEO, vFortress Network Security Pvt. Ltd.
Introduction
With the increasing use of IT for normal day-to-day business functions IT Security is a hot topic of discussion for organizations. Any discussions on IT Security will inevitably lead to the following conclusions:
Why are the above common complaints of Chief Information Officers (CIO) and Chief Security Officers (CSO)? This is because:
This article delves into some of the above issues to ensure that IT Security becomes a common practice in ones organization.
IT Security — Building a Case
All managers understand ROI. Hence one should build a case based on ROI. You need to convince them about the ROI from security. The table below shows how you can build your case:
Business Case | Benefit |
 |  |
We will continue to get ROI on our applications | By securing our application we can make it available for use from outside our network |
Protect Intellectual Assets | Our competition would like to know what we do. We will be able to prevent information from leaking out. |
We can maximize efficiency and productivity | Using security we can deliver right information at right time to the right person in the right manner on the right device |
We can maximize loyalty | We can ensure that the customer's information is safe with us and thereby maximize loyalty |
IT Security — What to do?
Before one gets mired into processes and policies it is necessary to figure out what one needs to do. Here again look at the case for building a consensus using ROI. This should give you a clue. Here are two equations that will help you understand what to do.
Security_Counter_Measures * Business_Value
ROI on Security = -----------------------------------------------------
Threats * Vulnerability
Â
Threats * Vulnerability * Business_Value
Cost of Poor Security = ----------------------------------------------------
Security_Counter_Measures
Clearly two factors are in ones control namely Increasing Business Value and Increasing Security Counter Measures. These surely will increase the ROI on security.
Increasing Business Value
At the most basic level, most applications deliver the critical information that helps all users make more informed decisions. The ROI for these applications is premised on their free and unfettered use — that critical applications can be used when and where they are needed, by the people (and only those people) who are granted access to them. Unfortunately, the value of these applications cannot be realized because of unanswered security risks — application data is often vulnerable to eavesdropping, unauthorized users (both internal and external) can gain access to critical applications, and certain applications are too risky to be deployed beyond the enterprise network. Clearly the method to increase business value is to raise the accessibility of critical applications while countering security risks.
Â
Increasing Counter Measures
The surest way to increase counter measures is:
To ensure end-point security there are a few good options. A good way is to deploy a solution that does not give full network access to the remote device. Solutions in this class are Server based computing and Application Layer VPN.
Increasing Security of Intellectual Property
The problem with securing Intellectual Property is that there is neither one complete process solution nor a complete technology solution. Some security process like BS7799 may help. Security technology is more backward in attempting to solve this problem. There is no known technology that can track the movement of Intellectual Property in form of a document or application at all times. For example, the biggest headache for gadget manufacturers is reverse engineering especially when gadgets are given out to partners to test. This is an extremely difficult problem to solve.
Choosing Less Vulnerable Technologies
One of the common ways to reduce vulnerabilities seems to restrict use of certain platforms and Operating Systems. Often this takes the shape of religious wars such as Linux v/s Microsoft. In most cases there is very little one can do when Linux or Microsoft has some vulnerability. However, choosing secure applications is something organizations can do. One can easily determine whether one application is more secure than the other by understanding what and how they use network resources. Similarly, if you are creating a bespoke application one can necessitate that security be considered at the design stage itself.
Summary
Clearly if you focus on ROI of deployed applications as a premise for creating security one can get a wide consensus on implementing IT Security. Moreover, it clearly indicates what technology decisions and process methods you need to take to make your organizations IT infrastructure secure.