Search in ISMS Guides


Saturday, August 4, 2007

Information Security: A New Approach


Information Technology is pervasive — it moves your business; very often aspects of your personal life, it facilitates transactions, creates a responsive organisation, enables customer- and partner-interactions, and creates competitive advantage for the corporation. As fundamental as IT is to business, information security is equally critical to survivability of businesses in today's Digital economy.

The role of information security has changed across the past few years. Traditional definition of protecting networks and the Datacenter has undergone a shift in focus resulting in enablement of businesses with security solutions actually moving your business forward or even to the next step. Security is now lifestyle. A must-do for survivability of businesses. Wherever the network goes, security goes. Improving customer acquisition, extending businesses, growing mobility of the workforce and a global workplace are all facilitated by Security frameworks, processes and solutions.

No longer can security be an afterthought. Increased need for efficiency and productivity, reducing costs, reaching multiple markets and faster time-to-market are few of the business benefits which are driving organisations to make security a part of the organisational DNA.

The opportunities thrown up by Security to CEOs and functional heads bring in enormous challenge to IT administrators. And, the Achilles heel to such an internetworked Enterprise becomes Information Security or rather the lack of it. Cyberspace is no place for the unwary especially in an increasingly competitive world. This challenge confronts both large enterprises as well as Small Medium Enterprises. As a variety of security threats, new vulnerabilities, new technologies, convergence, market focused processes threaten to swamp traditional IT, you need stability amidst change — you need a new way of doing security which accelerates the organisational extensions and growth. A new way of implementing, managing and doing security which has the flexibility to accommodate change and to adopt emerging technologies.

While the Internet offers tremendous value by opening up new levels of integration with partners, suppliers and customers, it also exposes business systems to new forms of malicious attacks. In the era of unbounded networks, Security boundaries have blurred where data flows across the information Value Chain. In addition to that, new threats have emerged as also the quantity and virulence of attacks. As long as technology continues to evolve, malicious code will be right behind. The nature of viruses, Trojans and worms makes it virtually impossible to stop infiltration completely, though there are ways to reduce, if not eliminate it.

However, most companies do not have sufficient IT staff to keep patch levels up to date, therefore allowing even known vulnerabilities to remain exposed. Security is a moving target — it is physically impossible for any organisation to monitor, analyse threats, manage and act upon them on a 24x7x365 basis. Signatures, Patches, and DAT files must be updated regularly to eliminate false positives, eliminate vulnerabilities and to ensure detection of the latest intrusions and exploits. These tasks are not just time consuming but also require highly skilled security analysts who must stay apprised of any new threats and techniques. In addition to being expensive and often ineffective, providing constant vigilance in-house is management intensive and can distract an organisation from its core business.

A resilient and future-proofed IT infrastructure is mandatory for organisations for which predictability is the most critical component. Predictability is an amalgamation of Reliability, Availability, Manageability and Scalability backed by performance management.

The progression from data to information to knowledge to intellectual is tough to accomplish. While security threats are increasing in leaps and bounds, security professionals are far and few between. In fact, the biggest missing link in security is the absence of trained and certified professionals in most geography. Security encompasses not just systems but people as well. And, education, does not stop at the IT manager alone, but also needs to extend to all users as they use Networked services to transact, as also the policy maker who needs to discuss and decide on business extensions.

Well designed IS security policies and professionally implemented security architectures cannot by themselves assure the security of your information assets. People are at once the weakest links and the strongest defence to secure the information assets of any organisation. While information security touches every major aspect of operations, insufficient awareness and understanding of security amongst people is a major cause that undermines security.

No single product or service can comprehensively address the possible security threats to your IT infrastructure. Maintaining effective security is a continuous process that identifies assets, analyses threats, and defines acceptable levels of risk. Strong, enterprise-wide security demands solution and technologies that bring in a combination of online technologies, processes, practices and trained people.

No comments: