Security is a Business Issue
Securing information, computers, and networks is a difficult but critical activity in any organization. The consequences of not adequately securing these information technology (IT) resources can be disastrous, as can be gleaned from numerous news articles about security exposures appearing in many online and print media. The solutions most frequently implemented to address security issues are additional technology deployments in the hopes that they will work! Unfortunately, technology-only solutions are but one piece of the overall security puzzle. And they work only to a point, beyond which they are ineffective. What is needed is a multi-faceted approach that not only utilizes needed security technologies but also relies on appropriate management techniques to address a basic business fundamental: IT resources are used because they help to conduct, sustain, and grow a business. It is this very issue that is the underpinning of our philosophy about security - security is a business issue in need of technical and managerial competencies.
Three Layers of Control
Good security strategies seek to deploy three layers of controls:
- Preventive,
- Detective, and
- Corrective.
Prevent Rather than Correct
The first layer of security deployment is based on an age-old adage: "Prevention is better than a cure!" Thus, the first layer of defense should always be preventive in nature, seeking to prevent a security exposure from occurring. The second layer exists to detect the security exposure in case the first layer (preventive) is breached and to inform appropriate personnel in the organization. Finally, the third layer, corrective, exists to take action to correct (or recover from) the consequences of a security exposure. These three layers form the basis for any IT security deployment that we perform.
Disaster Recovery
Understand that data backups and disaster recovery, while critical, are merely corrective measures against natural and man-made disasters because they seek to correct the consequences of disasters. Once again, they are just one piece of the larger security puzzle. Corrective controls need to coupled with preventive (fire-retardant systems, for instance) and detective (fire alarms, for instance) controls to more comprehensively protect information. Of course, natural disasters cannot be prevented and, there, corrective controls definitely play a very important role.
"The solutions most frequently implemented to address security issues are additional technology deployments in the hopes that they will work! Unfortunately, technology-only solutions are but one piece of the overall security puzzle."
". . . a multi-faceted approach, that not only utilizes needed security technologies but also relies on appropriate management techniques, is needed."
"Security is a business issue in need of technical and managerial competencies."
"Good security strategies seek to deploy three layers of controls: Preventive, Detective, and Corrective."
"Prevention is better than a cure!" Thus, the first layer of defense should always be preventive in nature."
"Data backups and disaster recovery, while critical, are merely corrective measures and are just one piece of the larger security puzzle. They need to coupled with preventive and detective controls to more comprehensively protect information."
