| The cold war was political. It's over. | | | | assessment and plan is far less |
| World War III is an economic war. It's | | | | expensive. According to David Bauer, |
| here - it's now. Information is where | | | | first vice president, chief |
| the money is and theft is easy, safe, | | | | information security and privacy officer |
| and lucrative. Eavesdropping and other | | | | at Merrill Lynch, a key component of any |
| high tech related crimes are difficult | | | | strategy is a dynamic risk assessment. |
| to enforce and prove. Advancements in | | | | By using tools such as scanners, log |
| electronics and optical electronics have | | | | analysis, risk metrics and asset |
| made communications interception easy | | | | inventory that produce a biweekly |
| and cheap. Business ethics don't have | | | | security report you can more quickly |
| the same value as they did in the good | | | | analyze and prioritize current or |
| old days of the "deck of punch cards" | | | | potential threats. This approach |
| computing. | | | | allows organizations to move from a |
| IT and business security is becoming | | | | circle-the-wagons approach to |
| more and more critical in today's | | | | intelligent risk management. |
| commercial environment. Every day we are | | | | With an intelligent risk management |
| faced with new computer risks, viruses | | | | solution the percentage of the IT budget |
| and new "ideas" from hackers on how to | | | | that needs to be spent on effective risk |
| gain access to our network or other | | | | protection is actually far less than |
| systems or physical locations. | | | | what your competitors will be forced to |
| Fortunately, there are even more | | | | spend. The answer is not about how much |
| sophisticated business solutions out | | | | you spend but how well you spend it. |
| there that can be implemented to secure | | | | This way about half the spending is |
| us from these dangers. These can be | | | | advisory, helping build secure systems, |
| anything from simple firewalls up to | | | | while the rest goes toward risk |
| very expensive encryption and biometric | | | | management, prevention and response. For |
| authentication solutions or remote | | | | instance it is easy to get somebody's |
| communication modules. These new | | | | password, so the damage that can be done |
| business realities affect you as much as | | | | by an individual has to be as small as |
| it does your competitor - no matter what | | | | possible. William Farrow, CIO at the |
| your line of business. The question is | | | | Chicago Board of Trade, told how a woman |
| how can you protect your organization, | | | | cleaning a conference room became |
| no matter how large or small, from the | | | | suspicious of a laptop left running |
| known and unknown security dangers and | | | | overnight. She reported it to security, |
| risks to remain as competitive, and | | | | and it was later discovered that |
| therefore profitable as possible? | | | | someone had left the laptop running |
| What about all the other business risks | | | | port scanning software aimed at |
| that are also getting more | | | | penetrating the corporate computer |
| sophisticated? Have you considered all | | | | network. In this case even an employee |
| the risks that cannot he covered by | | | | at the lowest level of the corporate |
| technology? What about the human side of | | | | structure was made aware of the |
| business? No business can function | | | | potential damage that can be done to the |
| without the human touch. Yet how do you | | | | organization with a security breach. In |
| know when that necessary "human touch" | | | | corporate or IT security, emotional |
| is about to reach out and touch you in | | | | reactions, panic and legislation are |
| the form of an "insider" attack? Have | | | | counterproductive. But intelligent |
| you thought about your employees behind | | | | approaches can safeguard your |
| the technology? How about social | | | | organization or business from an |
| re-engineering forces or disgruntled | | | | uncertain future and substantial |
| employees? When did you have your last | | | | financial losses. |
| corporate risk assessment completed or | | | | If you ask CEO's of large corporations, |
| even considered if ever? | | | | who have gotten even low-level employees |
| As a person you are prepared for the | | | | to be savvy about security, you get |
| unexpected: you face the unexpected | | | | advice on employee education: "Make it a |
| several times a day without giving it a | | | | part of daily conversation in every |
| second thought. You follow the rules of | | | | project meeting. Make it clear that |
| the road when you drive because you know | | | | every project has responsibility for |
| it is the right thing to do. You | | | | security. You have to make it part of |
| purchase insurance for yourself and | | | | day-to-day operations." Adherence to |
| your car, carry health insurance and | | | | clearly defined security principles |
| life insurance because you know it is | | | | should be a part of each employees |
| the right thing to do for your family. | | | | contract. It is also important to |
| Unfortunately, with many of the business | | | | publicize employee caused security |
| risks of today there is no "red light, | | | | incidents internally, not necessarily |
| green light" to tell us when to stop | | | | naming the employee who made a mistake, |
| arid when to go. But how can you say you | | | | but doing it in a way that others learn |
| are sorry enough to your customers, when | | | | from the error. Those organizations or |
| you have to tell them some hacker has | | | | businesses that have evolved a system of |
| posted their credit card number on the | | | | process improvement as a natural |
| hackers web site? When it comes to your | | | | consequence of their business demands |
| organization or business, have you put | | | | are those organizations or businesses |
| the same level of consideration into how | | | | that will excel and win the security |
| your employees and customers will | | | | wars. |
| continue to rely on you should the | | | | The main key between companies that |
| unexpected happen? | | | | have implemented a dynamic security |
| If you're like the Senior Executive or | | | | plan and those who have not is: |
| owner of most companies, the answer may | | | | preparation. Preparation requires a |
| be a frightening "No, we have never had | | | | focus on risk management, |
| any comprehensive business risk | | | | intelligence-driven identification, |
| assessment completed." Or worse yet, | | | | prevention and response. A good |
| perhaps you have a false sense of | | | | organizational or business security |
| security in a plan that was developed | | | | strategy is built around these |
| several years ago. With all we hear | | | | principals: threat management, |
| about how high the price of security can | | | | including intelligence, planning and |
| be these days you may find yourself | | | | instant response; comprehensive |
| saying, "Investing in a security and | | | | security services; attention to public |
| privacy solution is expensive; too | | | | policy, including active attempts to |
| expensive for our organization or | | | | educate legislators; and an agile |
| business right now." But can you afford | | | | response to the changing risk |
| to risk spending more than 15, times the | | | | environment. After all, as we have |
| cost of preventing a security breach or | | | | learned, an intelligent security |
| a communications breakdown when the | | | | response needs to be everyone's |
| unforeseen does in fact happen? | | | | responsibility and it is not always |
| Proactively preparing your business | | | | limited to technology and IT security |
| with a comprehensive security | | | | that matters the most. |