Welcome to The UltraTech Zone Sign in | Join | Help

Talking Out Loud with ASB

Views on Life, Technology and Everything, by ASB (aka Logik!)...

My Profile

Andrew S. Baker (ASB)

News

  • Platform: CS v2.1 SP2...

    Get a FREE phishing filter for your domain!

    Who links to my website?

    Pando Pro

Managing Information Security in 2009

image Since the middle of 2008, we have seen an increase in the types and complexity of information security attacks that organizations have been facing. The widespread worms of 2004 and 2005 gave way to the targeted attacks of 2006 and early 2007.  Things quieted down in the latter portion of 2007, as the security industry was able to clamp down on a lot of the botnet activity that drove the targeted attacks.

Many factors, including better anti-spam solutions, improved operating systems capabilities, and better end-user awareness helped to contribute to the slightly lower levels of threats leading into early 2008. 

There is another key factor, however, which is often ignored, or at the very least, not well understood. As Bruce Schneier aptly point out in “Beyond Fear, information security is not something you win outright, but rather, it is all about mitigating ongoing risks. It is a persistent cat-n-mouse game between the protectors of the enterprise and the cyber underground. 

As the good guys catch on to the techniques and approaches of the bad guys, and develop successful strategies to mitigate the risks that that have been unleashed in the wild, the bad guys regroup to develop new mechanisms for attaining their goals.  Over the past 5 or 6 years, cyber terrorism has moved from being the realm of uncoordinated, poorly financed individuals driven largely by ego and a desire for notoriety, to being the purview of highly coordinated, well financed, (in some cases, government-sponsored) entities with complex financial and/or political motivations.  And they are more than happy to keep the publicity down to a minimum if that will ensure that more people and organizations remain in a vulnerable state for a much longer period of time.

A recent SC Magazine article points out some of the issues that organizations will face in 2009, as they look to secure their technology infrastructure from the growing threats.  The task will not be made easier by the expansion of remote employees who need to be connected to the network without restriction, nor by the convergence of voice and data networks via technologies such as VoIP.

Organizations that properly inventory the various technology assets within their enterprise, generate a risk profile for each asset or asset group based on its importance to the overall business, and then begin to develop a mitigation strategy based on those risk profiles will stand the greatest chance of avoiding catastrophic or embarrassing attacks to their business in 2009.

Those that just try to do a little of everything, without regard for business value or prioritization, will likely find themselves answering to key constituents such as clients, customers or various regulatory bodies, when they suffer one or more breaches.

It’s not a matter of if you get hit. It’s a matter of how soon you will be able to determine that you have been hit, and what steps you are already taking to mitigate the potential damage, and restore customer confidence.

If it hasn’t been made sufficiently clear already, Information Security is no longer merely a technology function – it is the work of the business on a whole – and requires proper support across all business units to be effective.  It is more than just the cost of doing business: it is a key driver of business success moving forward. 

Share Post:
Posted: Friday, January 02, 2009 12:03 PM by Logik!

Comments

BrainWave Technology Tidbits said:

Since the middle of 2008, we have seen an increase in the types and complexity of information security

# January 2, 2009 12:54 PM
Anonymous comments are disabled

About Logik!

Andrew S. Baker aka ASB aka Logik!

Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximize business results. He creates competitive advantage for organizations through effective IT leadership: implementation of processes and controls, and architecture of robust business solutions.

Mr. Baker has successfully led a number of high-performance technology teams in designing, deploying and maintaining secure, cost-effective computing environments for well-known companies, including Warner Music Group, The Princeton Review, Bear Stearns, About.com, and Lewco Securities.

For over a decade, Andrew has exhibited thought leadership on technology and business topics via mailing lists, technical forums, blogs, and professional networking groups, along with contributions to podcasts, webinars, and over 20 technical/business magazine articles. He also serves on several boards and committees for non-profit organizations, and within the Seventh-day Adventist church.

His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers, Family Life Ministries, Reading, Strategy/Role Playing games, and Professional Networking...

A summary of Andrew's current résumé is available here, and he can be reached on a variety of social and professional networks, including LinkedIn, Facebook and Twitter.