In the event of a significant breach, the best that can usually be hoped for from an unplanned crisis response is a costly investment in damage mitigation and remedial measures to "shore up" failed security. Even when such responses are effective, they provide little or no opportunity to move beyond the immediate concern and prevent future problems. Thus staff is forced to move from one crisis to the next, allocating security resources based entirely upon the order in which problems arise. This is a best-case scenario, assuming an effective response. In the rush of a crisis situation, it is all too easy to overlook key details and allow current and/or future adversaries to circumvent your new security measures. It is all too easy to rely on vendors more interested in selling their product than in addressing your specific needs.
Read more here about the security breach at MasterCard International that exposed the payment records of more than 40 million credit card holders.
In many cases, IT security insurance can prove to be an extremely effective approach to breaking the security deadlock. Like any other vendor, insurance brokers are primarily interested in selling a product, and they may or may not be able to tell you anything new about security practices.
They do, however, specialize in evaluating, managing and quantifying risk. As a result, they can be very helpful in identifying the appropriate level of risk for a given business and mapping out the most cost-effective way to achieve that level.
By placing dollar values on security threats, they also can be invaluable in educating management. Last but not least, of course, they provide compensation for damages in the event of a security failure.
Unfortunately, insurance is often not a practical option. Instead it typically falls on the IT staff to cajole management into a strategic planning process. In doing so, it is crucial to keep in mind why management tends to be reluctant to address the issue, and what biases IT staff may bring to the table.
Keep the discussion focused on the need to allocate resources appropriately and prevent "crisis mode" waste, rather than resorting to scare tacticsjustified or not.
The goal of a good planning process is not to turn a network into an impenetrable fortress, but to make conscious, informed decisions. How much risk to tolerate? What kinds of costs and disruptions to tolerate? How much to spend and how to spend it.?
Enterprises will make these decisions one way or another. Taking a strategic view prevents them from being made by default, or by accident.
Contributing editor David Raikow has worked in the IT industry for 20 years as a systems administrator, Web designer and developer, Webmaster, consultant, andmost recentlya writer. David primarily covers issues related to network security. He holds a law degree from UC Berkeley and occasionally writes about legislative and litigation-related topics. He can be reached at eWEEK@think-spot.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Its just as easy to get caught up in media hype around a purported threat that may or may not have any bearing on your circumstances. It takes only a small error in these circumstances to end up spending large sums with no resulting improvement in real-world security.