The advent of the world of e-commerce has heightened awareness at large, medium, and small businesses that effective programs must be implemented to secure the safety and integrity of business information. In todays environment of greatly reduced technology budgets, every effort must be made to ensure that information security technology purchases are responsive to realnot perceivedrisks to our business operations.
There is a propensity to spend a significant amount of money on technology tools that often do not provide a business value return on investment. Therefore, the first task to perform when considering information security technology deployment is a thorough risk analysis to assess the impact an issue or threat in the environment may have on your business operations. Threats may have substantial or no real impact, but a process must be followed to make that determination and then translate the finding into business terms.
For example, after the NIMDA virus infection, some vendors sent out an alarm claiming the NIMDA virus was capable of creating untold amounts of damage. They promised they had the answer to protect against future NIMDA attacks. Informed chief information officers, however, did not respond to the vendors hype nor did they recommend their companies spend millions of dollars installing new tools.
Thats because they asked themselves one simple, basic question: What impact did NIMDA have on my business operations? At many large companies, the impact was minimalit was more of a nuisance than anything else and didnt really justify huge monetary outlays for new technology implementations.
When technology leaders do not respond in this thoughtful manner, they often end up with tools that have no value to their company. The inevitable result of this, of course, is that they lose credibility_in the eyes of their business partners who may_not respond affirmatively when there is a real need for technology deployment to protect their business operations.
Increasingly, CIOs are shifting their gaze from technology and focusing on the risks to the business environment. When you are proactive rather than reactive, you are able to put the right structure in place and build in flexibility that will allow you to respond aggressively to real threats to your business operations.
Compliance Check
At my company, after the September 11 attacks on America, we frequently were asked what changes we needed to make to our information security program. Our answer was we did not need to make any changes. All we did was verify that our systems were still in compliance with appropriate security configurations and working appropriately. We were able to take this approach because we had proactively and strategically created a sound security infrastructure that allowed us to anticipate and respond to risks to our business operations.
Its also important to spend a good amount of time educating associates in your organization about security, making sure they know two things: (1) Se-curity is a business issue rather than a technology challenge; and (2) each one of them has a role to play in an effective security programthey must be alert to their environment and report things that dont seem right to the proper authorities.
It also is equally important technology leaders not only fully understand the technology infrastructure at their company, but also the business arena in which they operate. Its really critical the two are linked together, and, of course, its always going to be easier to have a discussion with senior executives about a business issue rather than something they think is a technology problem.
The CIO must make sure business leaders know security is an enabler, not a hindrance to business. It is the responsibility of the chief information security officer (CISO) to make sure the CIO and business leaders know and understand the risk and value associated with implementing security technology at the outset of new projects or campaigns rather than trying to retrofit a system in response to a threat.
Imagine the business impact there would be if you have a system rollout and no one has thought through all the risks to the system. You have to get business leaders to understand the risks of an inadequate security program by talking to them in their language and outlining the ways an effective security program will help them avoid risk. The complexity of todays business environments mandates this sort of contrarian shift in focus from technology to business.
There are vendors that prey on the uncertainty that is sometimes in the minds of business and technology leaders. But there are also well-informed vendors that come to the table offering clear business benefits by assuring security investments map well to the real business risk, provide a sound platform for growth and future enhancements, and work well with existing installed products. Therefore, it is incumbent upon the CISO to identify and work with those vendors that have a business focus in their product lines that adds value and does not merely capitalize on fear, uncertainty, and doubt.
Find the Answers
Since security is not only about technology, you cant just buy the best new technology tool to secure your environment. You cannot overlook the need to perform a business risk assessment. You must know the answer to the question, What are the risks I face? before asking, What technology gets me the best outcome? Vendors may try to convince you they have the exact solution you need to respond to a situation or issue, but until you look at it from a business perspective, its almost impossible to create and implement an effective security program for your company.
Finally, CISOs need to be out there benchmarking their security programs against each other. This spirit of cooperativeness must intensify to improve the overall effectiveness of information security across the financial services industry and business in general. For example, I participate in monthly teleconferences with a group of CISOs from other large business organizations. In addition, I recently hosted a roundtable for CISOs in the New York metropolitan area, with sponsorship from a leading security vendor, so that we would have a forum to exchange ideas.
Our commitment to a secure business environment must be proactive and industrywide to remain ahead of the curve of threats and dangers to our business environments. It is imperative all organizations have and maintain effective security programs so that we can retain the publics trust and confidence in us as we conduct business in this new cyber age.
Ken Tyminski is chief information security officer at Prudential Financial. His responsibilities include information security policy, oversight of the companys security program, and review and evaluation of all information security-related technology.
State-of-the-Art Technologies Help Prudential Control Network Endpoints for Remote Workers
Prudential Financial faced business and security challenges associated with managing a force of approximately 20,000 employees who are either mobile or work remotely part time or full time. The challenge was the same faced by any company with a remote workforcehow to ensure that people with remote access do not compromise the integrity of the network.
For example, people with remote access could unknowingly infect Prudential Financials systems with worms like NIMDA and Slammer when they connected. To prevent this, we sought a product that would give them better control of the entire network and that could provide assurance that employees follow the best security practices at all times.
With the understanding all networks have vulnerabilities, we sought out a technology solution that was able to isolate ports and notice patterns or unusual behavior and that could proactively eliminate vulnerabilities as they arise. We needed to make certain all end users are compliant with corporate security policy before they are granted access to the network. By having a clearly defined goal of what we wanted, we then were able to look for a technology that met our objectives.
Fremont, Calif.-based Sygate Technologies developed its enterprise product, Sygate Secure Enterprise (SSE), specifically to enable companies like Prudential Financial to enforce and automate security practices in order to increase control, reduce costs, and ensure compliance across the organization. Prudential Financial is using SSE to create, automate, and enforce corporate security policies. With Sygate, all Prudential Financials remote workers are guaranteed to be in a trusted state before gaining network access.
The Sygate solution is made up of three components: A client-side security agent, which sits on the device at the endpoint, an enforcement server, and a management server. Whenever remote users dial into the corporate network (via a Nortel VPN), the Sygate enforcement server challenges the Sygate security agent, ensuring that endpoint is compliant with corporate security policy. If it is, then the endpoint is granted network access. If not, then specific policies created via the management server can be pushed out to the enforcement server, which for example, will make sure any endpoint that requests access to the network has up-to-date antivirus software. If it doesnt, then the proper course of action is predetermined through automated policies.
Sygates automated policy management capabilities helped Prudential enforce its security program. It also improved the overall security of the network environment, prevented outages caused by human error, and alleviated the resource drain associated with eliminating vulnerabilities at a granular level.
Since we cant always know what a person has installed on machines outside the officewhether it is company equipment or personal equipmentit was imperative to ensure software on the remote system cannot negatively affect our network. Sygate gives us the ability to restrict and monitor what traffic and tools are being used through our VPN network.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.