Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Opinion: There's no magic pill for security

Real security only comes with a lifestyle change, serious commitment and determination

As happens every January, when the new year arrived a couple of weeks ago, I saw a lot of new joggers and dog walkers out on the roads in my neighborhood. I've heard that gyms see a spike in business every January as well. In both cases, after a few weeks, things revert to about where they were before, as most of those who resolved to get fit in the new year fall away.

The problem is that real fitness is not achieved through a quick fix. It's an entire lifestyle, not a couple of jogs around the block.

Parallels can be drawn to security, be it information security, application security, software security or any other security discipline.

For many organisations, certainly, the quick fix can be tempting -- and it's just as illusory as the fitness quick fix. Again and again I've seen organisations that otherwise are lax in security matters commission a quick penetration test of whatever software or app they're deploying. They hope the test will give them an easy list of things to fix and leave them -- ta-da! -- secure. Even worse, they might go out and purchase a firewall, IDS, application firewall or some other product they heard about at a trade show and expect it to magically secure their shoddy software.

These things are to security what a pill that promises to burn fat while you sleep is to fitness. In both cases, the only thing you end up burning is cash.

Real security only comes with a lifestyle change, serious commitment and determination. It requires sweat and pain at times. But the results can be worth all that effort.

If you are ready for that kind of commitment, then the next natural question is where to begin. Quite simply, you need a plan. Failing to formulate a solid plan is what trips up the New Year's resolution crowd, and the same is true for organizations seeking better security. If you're out of shape, you shouldn't expect that you can just put on the sweats and running shoes and run a few miles on New Year's Day. Getting to wherever you want to be is going to take time, and should be planned accordingly. Start with the small things and gradually increase.

Here's how I would recommend easing into better security shape:

  • Decide where you want to end up. Do you want the absolutely best security program that money can buy? Are you aiming to do things only as securely as other organizations in your field? Do you want to do the bare minimum to avoid some regulatory sanction? Thinking about questions like these will help you determine what you can afford to do -- and what you can't afford not to do. Set a target, and then get senior buy-in and commitment for getting there. A fine example of goal-setting is the famous Bill Gates "Trustworthy Computing" memo, sent to all Microsoft employees in January 2002.

    In it, Gates wrote, "So now, when we face a choice between adding features and resolving security issues, we need to choose security." Those simple words sent Microsoft in a new direction and continue to shape the company's actions today.

  • Next, critically assess where you are now. Just how bad is it? Whether you do the assessment yourself or hire consultants, you should emerge from the process with a candid understanding of your current state -- no sugar coating. And if you haven't done such an assessment for some time, do it again. It's worth updating that "before" snapshot from time to time.

  • With your goal in mind and your current state understood, establish milestones. Start with bolstering the most glaring weaknesses uncovered in your current-state assessment. Plan and budget them out over a realistic timeline. Build each milestone into your organizational goals and your staff's personal goals. Plan to measure successes (and failures). Reward those who succeed, and punish those who don't.

There are plenty of resources to help along the way. For example, if software security is your responsibility, consider reading and participating in the Build Security In Maturity Model (BSIMM). It's a great way of assessing your current state by comparing your organization's practices against others, including (most likely) some in your specific industry sector.

Whatever path you take, be prepared for the hard work of getting into security shape. Just as there are no magic diet pills, true security doesn't come with buying a product, even if it's from a reputable vendor.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Bill, Carnegie Mellon University, CERT, Mellon, Microsoft, Parallels, Para-Protect, Topic
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Parallels, security, Access control and authentication, application security, Malware and Vulnerabilities
Latest Blog Posts
Whitepapers
  • Facebook Graph Search POV
    A description and analysis of Facebook Social Graph, monetization opportunities and its value to businesses.
    Learn more »
  • Smarter Data Centre Outsourcing: Considerations for CFOs
    Deloitte explores the business and finance implications associated with managing data centres. This paper outlines the options available to structure an organisations data centre and complementary IT services and provides the key considerations that need to be reviewed when determining which option works best for them.
    Learn more »
  • Rebranded Quadmark revamps its IT solutions with Google Apps
    The Singapore office was using Exchange as its email server but encountered various issues such as storage capacity limitations and difficulty in managing spam. Adding new users to the server was also a hassle that often required a third party vendor, resulting in a waste of time and resources. Quadmark also experienced email performance issues that slowed down their employees’ response time, leading to frustration among staff and clients. Quadmark’s management felt that it was unacceptable to continue it’s current solution and thus decided to streamline its IT infrastructure alongside its rebranding plans. The business wanted a unified and consolidated email service for its various offices. Quadmark also wanted to be able to house files and documents on the cloud.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Latest Jobs
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments

Computerworld
ARN
Techworld
CMO