As technology advances in leaps and bounds today, much attention is paid by companies, especially IT organizations to safeguard security. Despite the advancement, security continues to be a vulnerable area in most organizations. This paper throws light on the important elements of an effective security control program and the concomitants involved.
How can in-house controls be successfully implemented in an organization? The answer is pretty simple. The key is to leverage technology and architecture to create control channels through which processes are safely conducted. Technology and architecture have been successfully leveraged in any endeavor such as military defense, space travel, medical care delivery, and so on. In business, organizations must ensure that security is leveraged to flourish.
Controls must be specific, versed, and credible – they must be built on a foundation of solid understandings, relationships, emotions, drives, and motivations. They must be easily understood by those who execute the controls. Fyodor had it right when he said, “Intelligence is everything.” In other words, the more an adversary knows about you, the more likely he or she is to attempt to penetrate your defenses. On the same account, your adversary will want to know everything about you. Understanding this, security services need to be valuable and reliable. The concomitants are all the contacts from whom the control issues are service-provoked. These contacts must be understood and respected.
Collect dependable data about the organization and office. The data needs to be used to create the framework for account justification and ongoing supervision of performance.
Controls should then be deployed in a layered fashion – from policy to program, from policy to practice, which can be further grouped into preventative controls and defense controls. Overall, this architecture will provide querying and management capabilities that can allow the administrator to secure the network and network devices quickly – Today.
Conduct research to understand the motivations of those who would try to penetrate your network. Understanding your business needs, personal wants, and security awareness will help to prevent breaches.
Look within your organization for successful entrepreneurs who are masters of Excel and who understand the importance of a secure architecture. Today, successful entrepreneurs are found few and far between. Most techies today have spent most of their careers in universities. They are brilliant students who are surrounded by brilliant people. But, they lack the outside experience (the “ARIA experience”) that would help them properly understands an enterprise’s needs from the inside, and as a result, they often project, without experiencing what it like inside the corporate box.
upon further consideration, my friend said, “I’ve never felt that a more solid argument could be made for in-house training than the one made here. If we’re going to do this, let’s do it properly.” He then went on to add, “For us, the in-house component is really important. We have security people who are experts in their field, and they know what they’re doing. We also have security consultants who have actively worked in the security field and have the real-world experience to evaluate any technology in a way that we can use.”
Defense in Depth
A defense in depth strategy is a comprehensive approach to information security that uses multiple layers of defense mechanisms to thwart an attack. The basic concept is to establish a network security system that will prevent unauthorized access to computers or networks. Then, as attacks become more diverse and complex, multiple layers of defense will be needed to thwart the threats. However, as multiple threats are dealt with, the need for additional defense mechanisms is greater. Today, it is becoming imperative.
There are three primary concerns of those who engage in the in-house development of protection mechanisms for Information Technology (IT): cost, performance, and availability. All are affected by the same imperatives of management: Earnings, revenues, and core business goals. All three can be won through effective protection mechanisms that are designed to deliver consistently high levels of performance and value to the business.
Conversations with management have revealed that most executives, as well as board members, want their businesses to succeed through partnering with others, outside the box as well as achieving strategic significance. They want to partner with those who are succeeding in their field to enhance their chances of success. But, they also understand that business survival requires compromises to acceptable risk.
So, while they continue to achieve in their field, seeking growth and opportunity, the other risk factors (depicted by the risk factors listed below) continue to be differentiating the risks presented by new business requirements.
As outlined above, the risks that are currently considered to be severe, or critical, or for which there is little hope of mitigation, will change as the business grows and becomes more complex.