A six-part strategy to step up security

Companies have recently been curtailing their IT spending, but there is a hidden cost. For years security was an afterthought and as a result lagged far behind the rest of IT in dollars spent. The result today is less than ideal corporate security and little money directed at fixing the problem.

Mark Doll, the New York-based Americas director of Ernst & Young’s Security Services, recently spoke in Toronto, in part to promote his new book, defending the digital frontier, and in part to pass on his insight, gathered from years of experience.

He says the biggest factor inhibiting IT security is related to a lack of spending. Doll told the audience of a conversation he had with the CEO of a company that spends US$3 billion annually on IT. When asked about his company’s level of security he told Doll, “I never even thought if it was secure or not.”

He said Ernst & Young’s own white hat hackers paint a scary picture. A third of the time they hack into companies, they find that they are not the only hackers there. It takes the white hats an average of eight minutes to get into most Fortune 1,000 companies.

Doll outlined a six-part strategy designed to bring security into the corporate fold. The first security characteristic is to “attain and maintain the appropriate alignment between digital security…and business objectives to guarantee focus on the overall objectives of the organization,” he wrote in his book. Part of this can be done by reducing the number of levels between the CEO and security decision makers. “Good solid organizations have that compressed,” he said.

In some cases those responsible for security have direct, or very close to direct, contact with the CEO, he said. Often CEOs have no idea how bad a situation can become if there are too many layers insulating them from security reality.

Second on the list is the need to have an enterprise-wide strategy, one which includes customers and partners, because often their problems can become yours. Security also has to be “baked in” to outsourcing contracts. This is a shift in thinking since most outsourcing deals focus on cost reduction or increased efficiencies, not security, he said.

Doll also suggests continuous, real-time system monitoring. “Annual is not enough,” he said. Doll admits this is a challenge, but one in which there is no viable alternative since threats and vulnerabilities can become full-fledged attacks in a matter of days or hours.

Fourth, companies need to be proactive so they can anticipate potential threats, not just react to them. One common problem is that companies often overspend on issues that never happen again. “Lightening very rarely strikes exactly the same way twice,” Doll explained. So companies need to spend less on what just got hit, and more on what is likely to get hit next.

Doll is also a firm believer in the concept of third-party validation. Internal validation is never wise as a sole strategy as it tends to create blind faith. Third-party validation also helps organizations rid themselves of the “emperor’s new clothes” scenario.

The final strategy, and one Doll stresses, is to create a workable, formal security contingency plan. A 3,000-page binder sitting on a shelf collecting dust helps no one. He said to limit the book to “something that people actually read,” 10 pages, ideally, but no more than 20.