back to the list of other resources
 Home
Presentations
|
Wayne McKinnon's
Security Resource Center
Why Security
is a Business Imperative
Everybody remembers the Enron scandal that rocked the
financial community. What was more interesting was not what happened to
Enron, but what happened to Anderson.
Over a matter of weeks, the trust that people placed in
Anderson eroded, and the company took a huge hit, losing hundreds of it’s
blue chip clients in a fraction of the time, that it had taken Anderson to
build the reputation that attracted them.
The aftershock from what happened in Dallas
reverberated all the way to Anderson Canada. Associated by name only, they
had nothing to do with this. But, the result is that Anderson Canada no
longer exists.
That story
really underscores the importance of trust relationships. Let me ask you
this:
if the trust in your organization was shaken, how
would that affect your programs?
System security is a business imperative primarily
because it safeguards the trust relationships that we rely on every day to
do business.
How you are perceived is more important than what
actually happened. Any incident regardless how small, or even the knowledge
that an incident could occur, has the potential to undermine that trust. The
integrity of your data, the reliability of your processes, and the trust
that you have earned as a result, are your most important company assets.
In the Enron Scandal, I don’t remember seeing
anywhere that the technical competency of the Anderson Auditors was ever
called into question. The issue was that best practices were assumed, but
for whatever reason were not followed.
What must be done:
-
Senior management must buy in to the idea, and then
ensure that all levels throughout the organization are aware of and
follow the proper security processes. If this isn't being done now, your
business partners may refuse to do business with you until you can
provide assurances that your processes are in place and are being
followed.
-
While it is true that the technical people in your organization
are the first line of defense when ensuring that systems are
secured, this is management's responsibility. All levels must be aware
of their accountabilities. Even in some of the most secure
organizations, pockets of vulnerabilities exist primarily because at
some level of management, security is not treated as a business
imperative and adequate resources were not provided, or processes were
not followed.
-
A vulnerability assessment
is a critical step to ensuring that risks are known. Perhaps not every
vulnerability warrants a protective measure, but the vulnerability
should be identified, and a stance taken on why this is or is not an
acceptable risk, and what protective measures if any should be taken.
-
Launch an awareness throughout your organization
and identify:
-
Security processes that must be followed when
deploying new systems
-
Responsibilities and accountabilities of end
users, system administrators and all levels of management
-
Assurances that you must seek from business
partners in order to maintain your risk tolerance.
-
Assurances that you must provide to your partners
in return.
|
Reprints,
links or forwarding these articles is encouraged providing that the
following credit line is used: © Copyright 2002, Wayne McKinnon,
ITcoach.com. For more information contact us at ITcoach.com, Suite
531, 900 Greenbank rd., Ottawa, Ontario, Canada K2J 4P6, (613)
860-1384, 1-888-712-6224, FAX (613) 825-4895, info@ITcoach.com
A copy of the publication in which
the article appears would be appreciated. |
Copyright 2002 by ITcoach.com. All
rights reserved.
|