On the other hand, IT staffers are often reluctant to aggressively advocate for security measures. It is difficult enough, after all, to meet all of maintaining a modern business network without taking on tasks that management does not consider a priority. The most obvious consequence of a lack of strategic planning is an underestimation of security risks, and a resulting failure to allocate sufficient time or resources to addressing them. Poor security often has no obvious impact on a business until something goes seriously wrong; indeed, major, damaging security breaches often go completely unnoticed until well after the fact.Read more here about why companies should formulate clear security policies and communicate them to employees. These habits tend to reinforce themselves over time; the longer it has been since anyone has had to deal with security, the less likely it is to end up on a budget or at the top of anyones to-do list. Meanwhile, the staff is more likely to deactivate or circumvent various security measures in the name of convenience or new functionality. A less obvious but equally damaging consequence of an ad hoc approach is the haphazard misallocation of security resources. When security issues do attract attention, businesses without a strategic plan typically find themselves operating in "crisis mode," and are often unable even to assess the nature or applicability of the issue (never mind responding in a sensible, effective, or cost-appropriate manner.) This stance leaves businesses vulnerable not only to the various parties seeking to breach their security but to unrealistic marketing pitches and media hype as well. In the event of a significant breach, the best that can usually be hoped for from an unplanned crisis response is a costly investment in damage mitigation and remedial measures to "shore up" failed security. Even when such responses are effective, they provide little or no opportunity to move beyond the immediate concern and prevent future problems. As such, staff is forced to move from one crisis to the next, allocating security resources based entirely upon the order in which problems arise. This is a best case scenario, assuming an effective response. In the rush of a crisis situation, it is all too easy to overlook key details and allow current and/or future adversaries to circumvent your new security measures. It is all too easy to rely on vendors more interested in selling their product than in addressing your specific needs. It is just as easy to get caught up in media hype around a purported threat that may or may not have any bearing on your circumstances. It takes only a small error in these circumstances to end up spending large sums with no resulting improvement in real-world security. In many cases, IT security insurance can prove to be an extremely effective approach to breaking the security deadlock. Like any other vendor, insurance brokers are primarily interested in selling a product and may or may not be able to tell you anything new about security practices. Click here to read how security executives at U.S. government agencies are taking direct responsibility for security measures in their organizations. They do, however, specialize in evaluating, managing, and quantifying risk; as such they can be incredibly helpful in identifying the appropriate level of risk for a given business, and mapping out the most cost-effective way to achieve that level. By placing dollar values on security threats, they can also be invaluable in educating management. Last but not least, of course, they provide compensation for damages in the event of a security failure. Unfortunately, insurance is often not a practical option. In this case, it typically falls on the IT staff to cajole management into a strategic planning process. In doing so, it is crucial to keep in mind why management staff tends to be reluctant to address the issue and what biases IT staff may bring to the table. Keep discussion focused on the need to allocate resources appropriately and prevent "crisis mode" waste, rather than resorting to scare tactics (justified or not). The goal of a good planning process is not to turn a network into an impenetrable fortress but to make conscious, informed decisions: how much risk to tolerate, what kinds of costs and disruptions to tolerate, how much to spend and how to spend it. These decisions will be made one way or another. Taking a strategic view prevents them from being made by default, or by accident. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
In the absence of a strategic plan, it is all too easy to continually postpone addressing security issuesparticularly regular assessment and maintenanceuntil more urgent concerns are dealt with. Unfortunately, very few businesses ever run out of urgent concerns.