Published on: Mar 3, 2016
Transcripts - Natioanlnewspapersecurityartice
Securing the enterprise
By: Frank Curry
The Globe and Mail, August 19, 2005
Front Lines is a guest viewpoint section offering perspectives on current issues and events from
people working on the front lines of Canada's technology industry. Frank Curry is the Practice
Director for Technology Infrastructure at Avanade Canada Inc., a technology integrator for
Microsoft solutions in the enterprise.
For today's executives, the threat of a security intrusion or disruption is real, constant and ever
changing. For the IT department, the response to security events is often at the expense of other
projects and leaves the department feeling like they are lurching from crisis to crisis.
Most companies ina security crisis dispatch a SWAT team of their strongest ITprofessionals to resolve
the problem. This results in the reassignment of staff from other more strategic projects. As a result,
IT staff are constantly playing catch-up on vital aspects of IT infrastructure projects they had to
abandon to respond to the crisis.
Most IT professionals understand that the "wait and see" attitude is no longer an effective way to
manage security.Reacting to viruses and threats after a breach has occurred can be costly and
inefficient. A reactive approach not only leads to an ad hoc security program, but distracts the IT
team from their primary activities - usually those efforts that supply the company with a strategic
As security strategies evolve beyond this reactive approach to a more proactive one, there is a great
opportunity for IT professionals to create a security platform that encompasses the entire enterprise
-one that includes not only technology, but people and processes.
Managing security proactively requires a step back from the day-to-day execution in order to view
the environment holistically. Unlike application security, which has a very limited purpose and
function, proactive security is based on a comprehensive overview of the entire organization. This
allows IT executives to create a plan with a long-term perspective that goes beyond technology fixes.
By taking a proactive approach, security becomes a business issue not just a technology problem.
Thinking proactively about managing security is not an easy task. It takes time and investment to
design the processes and build the technology to execute them.
What is more, there is a challenge inherent in this approach: To be successful, it often requires buy
in from many different stakeholders, in addition to IT management and the network administrators.
Often IT professionals hita roadblock inthe approval phase because each stakeholder has hisor her
own agenda with his or her own individual priorities. More often than not, security is put on the
backburner as these priorities take precedence, and a more tactical approach is employed.
Increating a proactive security approach, there are afew initialsteps to take to develop a plan that
isattractive to, and more likely to be, embraced byallconcerned parties.
Understand Your Environment
Before you decide where you want to be, you need to understand where you are. To accomplish this,
an objective eye is required to review the current security state - the business assets, threats and
vulnerabilities. With this insight, you can begin to identify and prioritize the risks that may have the
greatest impact on the company, and those that can be mitigated effectively.
Involve the Organization
In order to create a strategy approved by the organization, one needs to involve the organization. At
the start, bring together decision-makers from groups or divisions with a direct and indirect stake in
security. Use this meeting to create a steering committee to review the organization's IT security and
ensure each group's needs and concerns from a security perspective are acknowledged.
Create a Strategy
A clearly defined strategy is a roadmap to where you want to be and how you plan to get there.
Without a long-term strategy, security projects will continue to be uncoordinated and even
incompatible with one-off projects.
A holistic approach to security entails thinking about security as a part of enterprise architecture.
This perspective helps break the problem down into components that are the basis for a roadmap.
Starting with the enterprise architecture, one can consider what security means to messaging, to
transactions, to hosted applications, and so forth. From this vantage point, it's also easier to factor in
policies and infrastructure to create a strategy that is both contextual and comprehensive.
Create a Business Case for Security and Define the ROI
Security is not a discrete product, so defining its cost savings can be a challenging exercise. When
trying to identify the ROI on security, a good rule of thumb is to consider money your organization
could save by mitigating risks that may or may not happen. Some aspects of security are intuitive
so significant that they do not require a full-blown business case, such as the investment to secure a
website to prevent theft of customers' credit card information. Other aspects of overall security do
not have such obvious benefits.
While it's tempting to define value based on a single project because there are fewer costs and
functional lines to cross, it can undermine the credibility of one's argument if the overall security
Speak inTheir Language
Perhaps most important is to understand how the consortium of representatives like to see risk
structured and quantified for their groups and for the organization. People who focus on activities
related to auditing or finance are going to have an interest in security that's different than the
people who focus on maximizing the volume of transactions performed by systems.
You need to demonstrate the strategy and security plan in their terms, from their perspective. Think
of your CEO and CFO as your customers, and tailor your approach and use language that they