It is not always about technology
Security means many things to different people. In the IT world many think of security as firewalls, passwords, and permission settings on server folders. The truth is IT security should start as a foundational building block of senior management strategy in any organization. Whether it is
e-mail scanning software or firewall policies, security MUST start at the top. One CIO responded with an interesting answer when I asked to talk to her about security in her organization. She said,
"Sorry --- security is handled by my network engineer and he is busy with a
project". OOPS --- Sorry --- Wrong Answer!
Security should not be tool centric. Firewalls will eventually fail under some circumstance, intrusion detection systems will miss a critical event as hacker creativity and skills improve, and someday a virus protection pattern will be too slow to be updated and the virus will begin to propagate both inside and outside of your Local Area Network. Security should be people centric not tool centric. When disaster strikes it will be the mental and process preparedness of the people that will minimize the damage. Tools help and are an integral part of security but tools are not the answer. Even the truck on the way to the backup tape vault is a risk and that is clearly not a technical problem.
In every organization an Incident Response Plan should be as important as the Disaster Recovery Plan. Would your organization know what to do in the first five minutes after the discovery of a rapidly spreading virus that managed to get past your virus protection? Unplug the email server from the network --- Good Answer! If the network engineer was at lunch does the Help Desk Administrator know where to find the wire? Not sure? Bad Answer! It is about being prepared not about buying the best tools. You already have the best tools --- your people. Probably not well prepared but yes the best tools if they know what to do.
Security, like everything else in a high performance organization, starts with Leadership. Without Leadership tools will never be able to do it all. Yes, state of the art intrusion detection can help. The latest in identity management will improve password strength and management but if your Help Desk administrator will reset the password of a user from a request of an imposter who just got an "Out of the Office" message you have a problem. If they will do it without question then any hacker with marginal social engineering skills can break in to your network via a VPN connection with very little technical knowledge. Leadership --- without it your tools are just that, tools. People use tools and it simply makes them better. Leadership is the beginning. Without it your risks are very high.
Mark Strickland, CISSP