100% data security just an illusion

By Kate Evans-Correia, News Director 15 Jun 2006 | SearchCIO.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

In some cases, you may just decide to accept that risk. Jack Phillips Managing Partner, Institute for Applied Network Security

"No [company] is ever 100% secure," said Jack Phillips, managing partner of The Institute for Applied Network Security in Boston. Phillips spoke to some 200 IT executives at the CIO Decisions Conference 2006 held last week in Carlsbad, Calif. "You cannot eliminate risk altogether."

Just like a parent in denial, a CIO sometimes has to learn the hard way, with news delivered in the middle of the night.

"People are a little more confident than they should be," Phillips said. "They think they're secure until something happens. There's an illusion of security."

When it comes to data security, the first thing CIOs have to learn is that no security policy and system can be perfect. However, it is possible to sleep at night knowing your system is "good enough," Phillips said.

When is enough enough?

You can't eliminate risk entirely, but you can lessen your vulnerability. Look at it this way: you lock the door to your house. It's reasonably secured. You could add a few more deadbolts to the door or maybe a second, locked screen door. Then your house would have more security, but in most neighborhoods a simple lock is good enough.

Understand, however, that if you're asking yourself if you have enough security, enough is a relative term and "comes in many flavors and shifts constantly," Phillips said. What's enough for you may not be enough for another organization.

The key to making sure you have enough security is conducting a thorough risk assessment . That process differs depending on size of company, vertical industry and types of data contained in the system, Phillips said.

More on security SMB cyberthreats on the rise Companies fear dark corners of the virtual world

Sam Young, CIO at California's La Sierra University, said his most critical asset is his school's reputation, which relies on making sure private information stays private. It's not so easy in an environment where users are increasingly computer savvy. "It's pretty tough to prevent people from hacking our servers when we breed hackers," Young said, echoing the sentiments of many technology executives in higher education.

Students are always finding new ways to get around a secure system, Young said, even though in some cases there are eight to 10 layers of security aimed at preventing breaches. From his viewpoint, Young figures he can never be 100% secure, given the rapid-fire rate that technology changes.

"There are always vulnerabilities," he said. "You do an MS upgrade and something comes up. The simple thing of a password -- people are sticking their passwords on sticky notes on their computers; VPs are giving them to their secretaries."

Accepting that it's OK to be "good enough" is a first step. After that, Phillips recommends the following risk-based approach:

• Start fresh: Go back into your organization and make sure everyone is on the same page as to what should be protected and why. Define a level of importance to the business.
• Evaluate and order critical assets. What are your organization's critical success factors? What are the critical assets required for success?
• Estimate your vulnerability level. Consider external and internal threats and estimate the probability of loss.
• Determine the best way to secure each asset.
• Determine how much resources will be spent based on the value of the assets.

"You decide your risk profile," Phillips said. "No matter how you cut it, [it's essentially] a roll of the dice. There's no perfect solution. Sometimes you just have to say, 'it's a risk we'll have to take.'"

Let us know what you think about the story; e-mail: Kate Evans-Correia, News Editor

Tags: Information security management for the midmarket,  Risk management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Mobile device management: From business apps to device security Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Risk management for the midmarket CIO resources: Top five technology topics of 2009 Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary risk assessment framework (RAF)  (SearchCIO-Midmarket.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary