What Do We Offer?
Securing information, computers, and networks is a difficult but critical activity in any organization. The consequences of not adequately securing these information technology (IT) resources can be disastrous, as can be gleaned from numerous news articles about security exposures appearing in many online and print media. The solutions most frequently implemented to address security issues are additional technology deployments in the hopes that they will work! Unfortunately, technology-only solutions are but one piece of the overall security puzzle. And they work only to a point, beyond which they are ineffective. What is needed is a multi-faceted approach that not only utilizes needed security technologies but also relies on appropriate management techniques to address a basic business fundamental: IT resources are used because they help to conduct, sustain, and grow a business. It is this very issue that is the underpinning of our philosophy about security - security is a business issue in need of technical and managerial competencies.
Thus, NEOITS offers services to
- Perform a needs analysis to determine the balance between the amount of security and its associated cost,
- Implement preventive and detective measures, and deploy tools, to keep IT resources safe from security vulnerabilities,
- Implement corrective strategies (for example, disaster preparedness and recovery) to facilitate business continuity in case of security breach,
- Determine the root cause of security vulnerabilities such as viruses, spyware, intrusion, and disasters, and
- Educate and train users to be vigilant of possible security vulnerabilities and be cognizant of the consequences of security exposures.
The Weakest Link in Security
 Quite often, business managers are under somewhat of a wrong impression that technology (firewalls and security software, for instance) they have deployed adequately protects business information that resides on the company's computers and servers. This impression is partially true. Technology and software alone are insufficient to protect information. The weakest link, from an information security standpoint, is not technology, but people (users in a business context). Yet, businesses do not hesitate to throw technology to secure information in hopes that it is sufficient to stop someone from accessing and/or stealing information. Past and current research indicates that a majority of information security breaches result from actions of people, most of the time insiders, and not from a lack of technology! Actions that employees take, and the ways in which they interact with computers, can have a detrimental impact on the security of information. Unfortunately, no available technology can influence human behavior or change it and, until that technology is available (an unlikely event!), security will continue to be a business issue, not merely a technical one!
Achieving a Balance
It goes without saying that nothing is ever 100% secure. What may seem to be secure today will most likely exhibit vulnerabilities only at some later point in time. Further, since there is a direct relationship between security deployment and its associated cost, the higher the security, the higher the cost. Thus, near-100 percent security is very, very expensive! Consequently, the appropriate amount of security is one that balances the benefits of security against the cost of its deployment. That appropriate amount can only be determined by performing a needs analysis, an activity that is a necessity in any security deployment effort. A security needs analysis, of course, cannot be conducted in a vacuum. It has to be conducted in the context of
- A variety of organizational factors,
- Appropriate security hardware and / or software,
- Security training and education for users to create an awareness and a culture of safe computing,
- Security-related policies and procedures to guide users, and
- Security programs to assess if policies and procedures are being adhered to.
All of these done in concert will lead to a greater chance that information will remain protected.
Business Continuity
 IT resources are used in organizations for business reasons, not for the sake of just using technology. Just as human, financial, capital, and material resources are managed in organizations, information resources need to be managed, too. If human resources are compromised, organizations can hire new ones; if capital resources are destroyed, they can be replaced. If information resources are compromised or destroyed, though, there is a good chance that they will be gone forever and possibly misused. This loss has the potential to destroy a business. Thus, for the sake of business continuity, good security strategies are a must!
Good security strategies seek to address three layers of controls:
- Preventive,
- Detective, and
- Corrective.
The first layer of security deployment is based on an age-old adage: "Prevention is better than a cure!" Thus, the first layer of defense should always be preventive in nature, seeking to prevent a security exposure from occurring. The second layer exists to detect the security exposure in case the first layer (preventive) is breached and to inform appropriate personnel in the organization. Finally, the third layer exists to take action to correct (or recover from) the consequences of a security exposure. These three layers form the basis for any IT security deployment that we perform.
Understand that data backups and disaster recovery, while critical, are merely corrective measures against natural and man-made disasters because they seek to correct the consequences of disasters. Once again, they are just one piece of the larger security puzzle. Corrective controls need to coupled with preventive (fire-retardent systems, for instance) and detective (fire alarms, for instance) controls to more comprehensively protect information. Of course, natural disasters cannot be prevented and, there, corrective controls definitely play a very important role.
Proactive Rather Than Reactive
 More often than not, organizations merely react to security breaches by deploying additional security technologies in hopes of preventing future breaches. Reactive approaches merely correct consequences of security exposures and often address only the symptoms of security problems. Rather, more proactive approaches are called for. Proactive approaches begin by comprehensively examining and plugging possible security holes, thereby seeking to prevent security breaches from occurring. Information security strategy should be part of the larger set of IT strategies of the firm. Only then can information be protected adequately. Security breaches could still occur but the probability and potential losses will be significantly reduced. Further, the focus will be on avoidance of human errors, a major cause of security breaches.
|
