Some organizations view ‘technical solutions’ as the immediate answer to their information security problems. This attitude is promoted by several suppliers of - you guessed it - those very same ‘technical solutions’. Technology-based information security products such as firewalls, antivirus software, are very valuable weapons in the security manager’s armory but there are severe drawbacks to a pure technological approach:
Firstly, technology is fallible. Despite the best efforts of the software quality engineering movement, hackers, testers and users continue to find unchecked buffers, unexpected exceptions, backdoors and other gross vulnerabilities in commercial and in-house developed software. This problem is compounded by the complexity of modern IT systems. Organizations that employ multi-layered security have the right idea but we find it extremely hard to believe that every layer of armor is near perfect. Worse still, ever since medieval days, attackers have been known to bypass castle defenses by taking an alternative approach. This kind of attack definitely occurs on the web too.
Secondly, very few organizations understand their information security problems in sufficient detail to ensure that they specify appropriate technical solutions. Typically, they recognize the need for standard information security packages (such as antivirus software) to address individual concerns, but seldom have they a comprehensive view of their requirements. They buy ‘plug and play’ firewalls with no regard to monitoring the security alarms, updating attack signatures, or responding to new forms of network traffic. They virus-scan Emails but ignore JavaScript.
Thirdly, the term “technical solution” usually implies significant expense. Today’s security technology is particularly costly, whilst standard off-the-shelf packages are often sub-optimal and offer little competitive advantage.
Lastly, someone invariably has to implement and operate the technology and this opens a massive can of worms. This post considers the importance of the last aspect, the human element of information security.
If you are serious about information security, you must tackle the human factors - those who purchase, implement, manage and use the technology - as well as the technology itself. Improving information security is not about choosing whether to improve the technical or procedural controls, but about how to improve them both. Proactively managing your information security risks involves assessing and reassessing all the threats, vulnerabilities and impacts and successively improving controls. This is not a one-off ‘fire and forget’ operation, just to get your ISO/IEC 27001 certificate or whatever. Information security requires ongoing management attention.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment