I don't mean another patch job. To do security right, the way the Fortune 500 companies do it, you need a plan. A blueprint. A best-practices framework. Thanks to a conversation I had with Bruce Murphy, a partner/leader of technology risk services with PricewaterhouseCooper, I can help you spec out the four cornerstones of a solid security strategy for the enterprise:
- Security vision. Establish you company's tolerance; where it wants to be on the risk curve
- Commitment. Get senior management buy-in and the budget to get the job done
- Training. Make security top-of-mind, all the time, at all levels
- Accountability. Build an org chart that clearly delineates who’s doing what, plus a mechanism to measure progress
The technology is easy. Driving behavior is the difficult part. But if you want to make sure everyone understands the necessity, start by developing a security model, assessing the risk to your business if information is compromised. Consider such things as:
- Public embarrassment
- Financial loss
- Regulatory fines
There's a danger of being overzealous on the security front. And an equal danger in underplaying the risks. Since you probably won't get unlimited resources to cover every conceivable breach anyway, make sure your most sensitive assets are covered first.
Another tip from Murphy, the PricewaterhouseCooper expert: Companies often search for the holy grail, even though most security vulnerabilities are within fundamental components -- the network operating system, database or applications. For instance, a company that sells widgets may secure its widget-making app. But fail to lock down the underlying operating system it runs on.
Bottom line: Treat security as an ongoing process, not as an event that happens when a Melissa strikes. You'll sleep better.