IT security, like Mom and apple pie, is something everyone’s in
favor of. That’s why it’s interesting to see what an authoritative
publication like CIO magazine finds out when it does a
survey of
the global state of the art (in this case, involving over 8,000
respondents in 62 countries across six continents). The survey
also yielded six "secrets" (yes, journalists will be journalists)
of effective IT security:
- spend more; you do get what you pay for;
- separate information security from IT, and in fact merge information
security with physical security; - conduct penetration tests; better you should discover your
vulnerabilities than a Sasser worm code jockey; - perform a comprehensive risk assessment; this is jargon for
the common-sensical approach of fixing the big, dangerous vulnerabilities
first and saving the trivial, harmless ones for last; - define your overall security architecture; this is jargon for
making sure that all your "local" solutions can work and play
well with others; and lastly - establish a regular (they suggest quarterly) review.
Counterintuitively, the study also found that companies with a
higher degree of confidence in their security measures were
in fact more secure: Of the "best practices" group,
nearly 80% of CEO’s were "very confident" about security, while
in the rest of world only 30% were. Why do I label this counterintuitive? Because
in many contexts the best defense stems from a healthy paranoia.
But the numbers speak for themselves. Even though many of
the "best practices" firms were targeted more often in 2004 than
in 2003, they suffered less down-time and lower financial losses. So
maybe they do have reason to be confident.
