Five principles underpinning robust security strategies

Forrester Research provides five best practice tips for building IT security strategies

Security is not a standalone discipline any more, and security professionals today need to understand the broader business context if they want to succeed in their job. Security also needs to be adaptable to changing technological and economic environments.

Avoid the temptation to adjust your risk appetite.

In tough economic times, business managers tend to be more inclined to accept risks. Rather than spend the money on mitigation, they are willing to take their chances and hope the risk doesn’t materialise. Security leaders need to stand fast ­ this is in fact the worst possible time to take chances because your organisation is much more at risk in such times. The threat of insider fraud and security breaches grows as economic times get harder. The prospect of losing their job or the pressure to perform and compensate for the lean workforce is reason enough for some employees to cut corners to meet targets or to take revenge on companies they feel have treated them badly.

Modify your plans to account for prolonged economic uncertainty.

Develop a flexible and nimble approach for taking on large investment projects. Whether you are working with a vendor or doing it yourself, it’s essential that you divide up large projects into small, digestible chunks. This becomes a necessity in tough economic times, where you may not have the budget or resources to work on the project a few months down the road. You want to have the flexibility to adjust the timeline and the investment at short notice.

Spend your budget on projects that affect the bottom line of the business.

Most security projects cannot be justified strictly on the basis of return on investment. But certain projects can create efficiencies and have tangible cost savings while maintaining or even improving security.

Take an information lifecycle approach to data protection.

The continued high volume of data breaches has kept many security professionals on their toes and in a reactive mode. Many look for quick fixes and overnight solutions to a complex problem that requires careful consideration and a multi-year approach.

Encryption is a good first step towards data protection, but it will not guard against insider abuse or access control violations. A much more comprehensive but time-
consuming strategy will focus on the process of managing the data lifecycle, starting from classification and ending with disposal. It will augment that process by deploying tools for areas such as access control, data protection, and data leakage. Most importantly, the strategy should provide adequate user security awareness and training to ensure that the users become the first line of defence.

Embrace new business models, but help the organisation manage the accompanying risks.

It’s a common story ­ a data processing operation is outsourced; security gives its blessing based on the assumption that since the data is non-critical, it poses little risk to the company. By using an offshore provider, the cost of the operation is cut in half. Other managers get wind of it and want to outsource some of their operations as well. Some of this data is highly critical and if breached or disclosed to the wrong entity, could have devastating financial and reputation consequences for the company. Security is then tasked with judging the merits of outsourcing such data.

Instead of saying no or making the outsourcing decision on behalf of the business, IT needs to work with business to define parameters and appropriate protections for the data that can be outsourced.

Accept changing technology paradigms while guarding privacy and confidentiality.

Social networks, blogs, and other Web 2.0 technologies such as wikis are great for collaboration, communication and connecting with others, but they also blur the traditional boundaries between work and personal life.

Phishing attacks against users of social networking sites will become more sophisticated. It is important for information security professionals to ensure that these tools are made available to knowledge workers, but in conjunction with controls to ensure that sensitive corporate or private information is protected. The first crucial step is to develop a policy and educate and train the users.

Additionally, data loss prevention tools, web crawlers and other filters can be used to prevent sensitive information being disclosed through these mechanisms.

Visit www.forrester.com/computinguk for several complimentary reports made available to Computing readers by Forrester Research.

Khalid Kark is a principal analyst at Forrester Research