| The cold war was political. It's over. World War III is | | | | Proactively preparing your busiÂness with a |
| an economic war. It's here - it's now. Information is | | | | comprehensive security asÂsessment and plan is |
| where the money is and theft is easy, safe, and | | | | far less expensive. According to David Bauer, first |
| lucrative. Eavesdropping and other high tech | | | | vice preÂsident, chief information security and |
| relatÂed crimes are difficult to enforce and | | | | privacy officer at Merrill Lynch, a key component of |
| prove. Advancements in electronics and optical | | | | any strategy is a dynamic risk assessment. By using |
| electronics have made communiÂcations | | | | tools such as scanners, log analysis, risk metrics and |
| interception easy and cheap. Business ethics don't | | | | asset inventory that produce a biweekly security |
| have the same value as they did in the good old | | | | report you can more quickly analyze and prioritize |
| days of the "deck of punch cards" computing. | | | | current or potenÂtial threats. This approach |
| IT and business security is becoming more and more | | | | allows organiÂzations to move from a |
| critical in today's commercial environment. Every day | | | | circle-the-wagons approach to intelligent risk |
| we are faced with new computer risks, viruses and | | | | management. |
| new "ideas" from hackers on how to gain | | | | With an intelligent risk manageÂment solution the |
| acÂcess to our network or other systems or | | | | percentage of the IT budget that needs to be spent |
| physical locations. Fortunately, there are even more | | | | on effective risk protection is actually far less than |
| sophisticated business soluÂtions out there that | | | | what your competitors will be forced to spend. The |
| can be implemented to secure us from these | | | | answer is not about how much you spend but how |
| dangers. These can be anything from simple firewalls | | | | well you spend it. This way about half the |
| up to very expensive encryption and biometric | | | | spendÂing is advisory, helping build secure |
| authentication solutions or remote | | | | systems, while the rest goes toward risk |
| comÂmunication modules. These new business | | | | management, prevention and response. For instance |
| realities affect you as much as it does your | | | | it is easy to get somebody's password, so the |
| competitor - no matter what your line of business. | | | | damage that can be done by an individual has to be |
| The question is how can you protect your | | | | as small as possible. William Farrow, CIO at the |
| organization, no matter how large or small, from the | | | | Chicago Board of Trade, told how a woman cleaning |
| known and unknown security dangers and risks to | | | | a conference room beÂcame suspicious of a |
| remain as competitive, and therefore profitable as | | | | laptop left running overnight. She reported it to |
| possible? | | | | security, and it was later discovered that |
| What about all the other business risks that are also | | | | someÂone had left the laptop running port |
| getting more sophisticated? Have you considered all | | | | scanning software aimed at penetrating the |
| the risks that cannot he covered by technology? | | | | corporate computer network. In this case even an |
| What about the human side of business? No business | | | | employee at the lowest level of the corporate |
| can function without the human touch. Yet how do | | | | structure was made aware of the potential damage |
| you know when that necessary "human touch" is | | | | that can be done to the organization with a security |
| about to reach out and touch you in the form of an | | | | breach. In corporate or IT security, emotional |
| "insider" attack? Have you thought about your | | | | reactions, panic and legislation are counterproductive. |
| employees behind the technology? How about social | | | | But intelligent approaches can safeÂguard your |
| re-engineering forces or disgruntled employees? | | | | organization or business from an uncertain future and |
| When did you have your last corporate risk | | | | substanÂtial financial losses. |
| assessment completed or even considered if ever? | | | | If you ask CEO's of large corporations, who have |
| As a person you are prepared for the unexpected: | | | | gotten even low-level employees to be savvy about |
| you face the unexpected several times a day | | | | security, you get advice on employee education: |
| without giving it a second thought. You follow the | | | | "Make it a part of daily conversation in every project |
| rules of the road when you drive because you know | | | | meeting. Make it clear that every project has |
| it is the right thing to do. You purÂchase | | | | responsibility for security. You have to make it part |
| insurance for yourself and your car, carry health | | | | of day-Âto-day operations." Adherence to |
| insurance and life insurÂance because you know | | | | clearÂly defined security principles should be a |
| it is the right thing to do for your family. | | | | part of each employees contract. It is also important |
| Unfortunately, with many of the business risks of | | | | to publicize employee caused security incidents |
| today there is no "red light, green light" to tell us | | | | internally, not necessarily naming the employee who |
| when to stop arid when to go. But how can you say | | | | made a mistake, but doing it in a way that others |
| you are sorry enough to your customers, when you | | | | learn from the error. Those organizations or |
| have to tell them some hacker has posted their | | | | businesses that have evolved a system of process |
| credit card number on the hackers web site? When it | | | | improveÂment as a natural consequence of their |
| comes to your organization or business, have you | | | | business demands are those organizaÂtions or |
| put the same level of consideration into how your | | | | businesses that will excel and win the security wars. |
| employees and customers will continue to rely on | | | | The main key beÂtween companies that have |
| you should the unexpected happen? | | | | implementÂed a dynamic security plan and those |
| If you're like the Senior Executive or owner of most | | | | who have not is: preparation. PreparaÂtion |
| companies, the answer may be a frightening "No, we | | | | requires a focus on risk manageÂment, |
| have never had any comprehensive business risk | | | | intelligence-driven identification, prevention and |
| assessÂment completed." Or worse yet, perhaps | | | | response. A good organizational or business security |
| you have a false sense of security in a plan that was | | | | strategy is built around these princiÂpals: threat |
| developed several years ago. With all we hear about | | | | management, including inÂtelligence, planning and |
| how high the price of security can be these days | | | | instant reÂsponse; comprehensive security |
| you may find yourself saying, "Investing in a security | | | | services; attention to public policy, inÂcluding |
| and privacy solution is expensive; too expensive for | | | | active attempts to educate legÂislators; and an |
| our organization or business right now." But can you | | | | agile response to the changing risk environment. |
| afford to risk spending more than 15, times the cost | | | | After all, as we have learned, an intelliÂgent |
| of preventing a security breach or a communications | | | | security response needs to be everyone's |
| breakdown when the unforeseen does in fact | | | | responsibility and it is not always limited to technology |
| hapÂpen? | | | | and IT seÂcurity that matters the most. |