Organisations that are failing to handle security are treating it like a technology problem, says Paul Proctor, VP of security and risk strategies at Meta Group.
The key to successful security is to have an effective security programme rather than just a project, he stresses.
"A project is something that has a beginning and an end. A programme is ongoing."
Proctor will be keynote speaker at a security conference, "Security: IT`s Ultimate Challenge", hosted jointly by Meta Group SA and ITWeb.
"I`ll try to establish trends and issues that are affecting the creation of effective enterprise security, including risk management issues and threat trends - all the organisational issues that are holding us back from creating effective enterprise security."
Accelerating threats
Proctor says one of the worst characteristics in dealing with security is to be reactive. "You could be reactive before and keep your losses and risks to a relative minimum, but the problems have accelerated to a point now that you have to be aggressive just to keep up with keeping losses at an acceptable range."
The one advantage about ever-accelerating security threats is that, coupled with new legislation and regulatory issues, they are finally getting business people to open their cheque-books for security, says Proctor. "More organisations are starting formal security programmes than ever before."
The people responsible for security strategy in an organisation are the business unit owners, says Proctor. "Business unit owners must accept the residual risk and establish what is the acceptable level of risk. Everybody else is just working for them trying to deliver that level of protection and acceptable level of residual risk. And then, of course, they work for the CEO and the board of directors who are ultimately responsible to the investors."
From vulnerability to exploit
With the security threats and vulnerabilities getting more complex and software vendors lagging behind with patches, how are smart organisations preventing, detecting and managing intrusions?
"The gap from vulnerability to exploit has shrunk dramatically," says Proctor. "That gap is now shorter than most enterprises` patching capability. And it`s continuing to shrink. You can pretty much assume at this point, even with an excellent patching policy, that you are probably going to get hit. And the approach that smart organisations are taking is to not only protect themselves from getting hit but to ask: what are we going to do when we are attacked."
Proctor says there are many intrusion detection and monitoring technologies and picking the right one is not easy. "It`s basically a big mess out there. In one of my talks at the upcoming conference, I`ll try to help people understand the value propositions of different technologies and when it`s appropriate to use one technology versus another technology."
The conference will take place on 11 November at The Campus in Bryanston.
Share
