With ever-increasing cyber-security threats and the pervasive access to information, CISOs are overwhelmed by an urgent and recurring need to overhaul their organization's security infrastructure as they safeguard their information assets. Simultaneously, CEOs are thinking of how to find cost-effective ways to deploy resources and dollars to help ensure security across their organization, which often spans geographic borders. The search for a simple answer to a complex issue is a common issue for both CISOs and CEOs.
"What product should I start with?" is a common first question, but this can also be the wrong question to ask. Unless you have experienced an overt or obvious symptom, such as a security breach, this question is premature. The practical strategy for a security implementation is much more likely to be developed through a more prescriptive process.
Before prescribing a remedy, each organization needs to look at themselves and their motivations, performing a diagnostic self-evaluation. There are, at a minimum, three core questions that every organization, C-level executive, security consultant, or others must be able to answer honestly before receiving a proper security diagnosis.
Although there are hundreds of additional questions that will follow, these three core questions should be asked when considering where to start:
- Why are you doing this?
- What are you trying to secure?
- What will happen if you don't do this right?
No one comes to the decision that they need better security because they have had an epiphany and now believe that security trumps all other organizational priorities. It is always because something has happened. A class, webcast, or seminar that offers insight into security threats can be the catalyst. Perhaps the organization's security was breached, or someone heard that a company in their space had been breached. Often, staff is simply asked to address security issues or to increase their security posture by a manager, or an auditor, or an executive.
Depending on what your motivation is, your first step can be different. If your security has been breached, clearly you need to complete whatever triage and clean-up you are performing. In addition, you need to establish a means of protecting against re-infection or re-emergence of remnants from the same exploitation. The short answer the principle question of why you are doing this is that your organization is interested in security. Thus, starting by understanding the reasons why your organization is not secure enough is a good launching point. This provides a much more focused goal and also provides a common language and context within which to talk about your interior security.
This is a question that is particularly enlightening for individuals who are newer to the space, but it can be very insightful for seasoned staff members who think through the implications of this review process. For many, the gut reaction to what you are trying to secure is "my networks," but when pressed or when given more time to think, you might answer "my data," "my business," "my reputation," or "my time."
Depending on your goal, your answer to this question can lead to a litany of other questions about the specifics of whatever body of resources you need to protect. Security is among the murkiest of disciplines, and it requires thorough examination to yield a solid base of what you actually need. In the absence of a real strategy, it can be argued that anything will make it better, but few organizations want to just "get better." Most organizations want to be at least "good enough," and "good enough" is tightly related to what is supposed to be secured — and how secure it has to be.
Human nature, or at least the noble components of it, inclines us to want to do the right thing. I think people ask advice about security because they truly want to be better informed and do a better job, which is all to the good. Unfortunately, in many cases, the yearning for reliable security tends to cool abruptly when confronted with the chilly realities of funding, inconvenience, and change. Security is not free, and good security is neither cheap nor convenient.
At the start of any new security process, or at the start of an extension to an existing security program, it is very important to ask the question "what will happen is we don't do this right," because knowing whether it is imperative or just interesting will make all of the difference when it comes to making necessary choices.
If failure will mean the loss of jobs, revenue, and reputation, there will be robust support for the person who wagers a career on creating an effective means of addressing security issues, even if those means are not easy. If, on the other had, failure will mean that an individual's status report is yellow (caution signal), that managers need to sign a waiver, or that a vendor gets a strongly worded letter, the security champion should keep that in mind when he or she finds it necessary to either push hard and escalate or to compromise and close on the issue.
Security is not a word with a strictly defined meaning, so it must always be approached with a situational perspective. The three questions discussed here and the questions that they will, in turn, engender will help to create an environment where there is a balance between the intention for security and the likely willingness of the organization to help to make it a reality.
To learn more about the current state of security perspectives between CISOs and CEOs, read the "Building the Business Case for Data Protection" report (see Resources). Research was conducted by The Ponemon Institute and sponsored by Ounce Labs, an IBM® Company.
To learn more, read the "Building the Business Case for Data Protection" report, based on research conducted by The Ponemon Institute and sponsored by Ounce Labs, an IBM Company.
- For information about IBM security solutions, see these sites:
- IBM Security Products
- IBM® Rational® AppScan® software, which encompasses various editions for different environments, and the Rational AppScan page on IBM developerWorks, which links to technical articles and many other relevant resources.
- Rational AppScan Developer Edition forum
- Rational AppScan and AppScan Enterprise Editions forum
Learn about other applications in the IBM Rational Software Delivery Platform, including collaboration tools for parallel development and geographically dispersed teams, plus specialized software for architecture management, asset management, change and release management, integrated requirements management, process and portfolio management, and quality management. You can find product manuals, installation guides, and other documentation in the IBM Rational Online Documentation Center.
Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.
Explore Rational computer-based, Web-based, and instructor-led online courses. Hone your skills and learn more about Rational tools with these courses, which range from introductory to advanced. The courses on this catalog are available for purchase through computer-based training or Web-based training. Additionally, some quot;Getting Startedquot; courses are available free of charge.
Subscribe to the IBM developerWorks newsletter, a weekly update on the best of developerWorks tutorials, articles, downloads, community activities, webcasts and events.
Browse the technology bookstore for books on these and other technical topics.
Get products and technologies
Download trial versions of IBM Rational software.
- Download these IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Tivoli®, and WebSphere®.
Jack Danahy is a security executive in the Office of the CTO for IBM Rational software. He is the former chief technology officer and founder of Ounce Labs, which was acquired by IBM in July 2009. He is one of the industry's most prominent advocates for data privacy and application security. Danahy holds five patents in a variety of security technologies and is a contributor to industry and national security working groups on data privacy, security, and cyber-security and cyber-threats. His writes a blog called Smart Grid Security.