Advertisment
Tech

IT Security — Building a Case

author-image
CIOL Bureau
Updated On
New Update

By: Subash Warrier, CEO, vFortress Network Security Pvt. Ltd.

Advertisment

Introduction



With the increasing use of IT for normal day-to-day business functions IT Security is a hot topic of discussion for organizations. Any discussions on IT Security will inevitably lead to the following conclusions:



  1. Management does not buy into IT Security.


  2. IT Security Best practices are difficult if not impossible to implement.

    3. Why are the above common complaints of Chief Information Officers (CIO) and Chief Security Officers (CSO)? This is because:



      Advertisment

    1. It is difficult to convince management about Return on Investment (ROI) and the cost of bad security.


    2. While physical security imposes little or no change to the way somebody works, however, IT Security has an immediate impact on how one works. Human beings resist change.

      3. This article delves into some of the above issues to ensure that IT Security becomes a common practice in ones organization.



      IT Security — Building a Case



      All managers understand ROI. Hence one should build a case based on ROI. You need to convince them about the ROI from security. The table below shows how you can build your case:











































      Business Case

      Benefit
         


      We will continue to get ROI on our applications

      By securing our application we can make it available for use from outside our network


      Protect Intellectual Assets



      Our competition would like to know what we do. We will be able to prevent information from leaking out.


      We can maximize efficiency and productivity

      Using security we can deliver right information at right time to the right person in the right manner on the right device


      We can maximize loyalty

      We can ensure that the customer's information is safe with us and thereby maximize loyalty

      IT Security — What to do?



      Before one gets mired into processes and policies it is necessary to figure out what one needs to do. Here again look at the case for building a consensus using ROI. This should give you a clue. Here are two equations that will help you understand what to do.







      Advertisment

      Security_Counter_Measures * Business_Value







      ROI on Security = -----------------------------------------------------



      Threats * Vulnerability



       







      Threats * Vulnerability * Business_Value







      Advertisment

      Cost of Poor Security = ----------------------------------------------------



      Security_Counter_Measures



      Clearly two factors are in ones control namely Increasing Business Value and Increasing Security Counter Measures. These surely will increase the ROI on security.



      Increasing Business Value



      At the most basic level, most applications deliver the critical information that helps all users make more informed decisions. The ROI for these applications is premised on their free and unfettered use — that critical applications can be used when and where they are needed, by the people (and only those people) who are granted access to them. Unfortunately, the value of these applications cannot be realized because of unanswered security risks — application data is often vulnerable to eavesdropping, unauthorized users (both internal and external) can gain access to critical applications, and certain applications are too risky to be deployed beyond the enterprise network. Clearly the method to increase business value is to raise the accessibility of critical applications while countering security risks.



       



      Increasing Counter Measures



      The surest way to increase counter measures is:



      1. Have good Authentication, Authorization and Access Control. This is often more important than any 128 bit encryption.


      2. Ensure that the device a stakeholder uses to connect to your network is trusted. This is difficult to implement and no known technology can assure that a device is "trusted".

        3. To ensure end-point security there are a few good options. A good way is to deploy a solution that does not give full network access to the remote device. Solutions in this class are Server based computing and Application Layer VPN.



        Increasing Security of Intellectual Property



        The problem with securing Intellectual Property is that there is neither one complete process solution nor a complete technology solution. Some security process like BS7799 may help. Security technology is more backward in attempting to solve this problem. There is no known technology that can track the movement of Intellectual Property in form of a document or application at all times. For example, the biggest headache for gadget manufacturers is reverse engineering especially when gadgets are given out to partners to test. This is an extremely difficult problem to solve.



        Choosing Less Vulnerable Technologies



        One of the common ways to reduce vulnerabilities seems to restrict use of certain platforms and Operating Systems. Often this takes the shape of religious wars such as Linux v/s Microsoft. In most cases there is very little one can do when Linux or Microsoft has some vulnerability. However, choosing secure applications is something organizations can do. One can easily determine whether one application is more secure than the other by understanding what and how they use network resources. Similarly, if you are creating a bespoke application one can necessitate that security be considered at the design stage itself.



        Summary



        Clearly if you focus on ROI of deployed applications as a premise for creating security one can get a wide consensus on implementing IT Security. Moreover, it clearly indicates what technology decisions and process methods you need to take to make your organizations IT infrastructure secure.

        tech-news