Reside, LLC - web for business. - strategy, design, development, integration, on-demand CRM

Home > Newsroom > Newsletter > Volume 3, Issue 3 > Volume 3, Issue 3 - Technology

Turning the Tide on Cyber Crime
By Michael Endrizzi, CEO, Security Evolution, Inc.

Recently, (June 2004) the CSI/FBI (www.gocsi.com) security survey released indicates that companies are beginning to reduce the number of intrusions into their information systems. And it only took them about 15 years to figure out how to do it! Permit me to share my views on why we are beginning to turn the tide on cyber crime.

One of the biggest mistakes made fighting the information security (IS) battle was that the responsibility was assigned to information technology (IT). IT's inherent role is enabling technology. Information security requires a restrictive mindset. The following scenario illustrates the tension that results when IS responsibilities are bundled under the IT role:

Management tells IT ?Install this new system and connect it to the Internet? (enable)
The next day, Management asks, "Why did you let this virus in through the system?" (restrictive)
IT then enacts security controls. (restrictive)
Management asks, "Why are you making it so hard?" (enable)

Is it any wonder that IT departments are frazzled, and managers are scratching their heads over the lack of effective IS? This kind of scenario points to the key reason that effective IS has been 15 years in the making: Information Security is a crusade that needs to be fought with the right people, the right tactics, and the right equipment.

Information security is about Management 101, not technology and blinking lights. How do businesses protect themselves from fraud? How do businesses protect themselves from personnel lawsuits? How do business protect themselves from Sarbanes-Oxley lawsuits? Policies, procedures, audits, metrics, training, vigilance. Management 101 in all its glory.

So, how do you apply these concepts to your business? First of all, realize that you have the general ideas already in practice. If you are running a business, you know something about Management 101. Just take that knowledge, and apply it to information security, with the following steps in mind:

1.) Move information security (IS) away from information technology (IT).
IT people enjoy being enablers. Think of them as your information "military". When there is a project (mission) to be accomplished, with clear goals and objectives, send in the IT. They'll create solutions, and move onto the next battle.

Think of IS as your information "police". Like a street cop, their mission is to keep the "crime stats" as low as possible. They vigilantly guard against intrusions to your information network/systems, and come back the next day to do it again. IS through Management 101 principles runs the ongoing crusade to ensure security controls are in place with policies, procedures, audits, training, etc.

If you have no one in-house with the expertise to manage IS, outsource it. That gives you the opportunity to focus on what your business is really good at, and hire someone who is really good at IS.

2.) Use metrics to measure performance
Sales people love to say "We have $1 billion in the funnel!? and hate to disclose their actual closings and compare it to their quotas (unless they are above quota!). Similarly, IT people like to report "We stopped 10,000 viruses". Unfortunately it is not the 10,000 that will bring down your business. It is the one that gets in. So make sure the metrics reflect how many incidents occurred that had a negative impact on the business and how much it cost the business.

3.) Lead, follow, or get out of the way. As a business owner, you lead by example. If an employee shares a password and it's against policy, then fire them. If you share a password and it's against policy, then fire you. If employees go to training, then so should you. The best generals are ones that sleep on the same cold floor as their troops.

Information security is an effort in vigilance that can - and has - been won by many firms, as the CSI/FBI statistics have shown. Just make sure you approach the crusade with the right people and the right tools.

Michael J. Endrizzi, CEO of Security Evolution, Inc., has over 16 years of experience in information security. Having assisted in the development of highly classified systems for the US Navy, CIA and NSA, Michael now shares his experience in information security through the development of many of Security Evolution's training curricula. To learn more about Security Evolution, Inc. visit their website at www.secev.com.

Serious About GROWTH ?

So are we. In fact, our promise is to help businesses grow, using the Web. Reach Reside today and begin focusing your Web strategy toward measurable growth.

Are you a ROCKSTAR?

Think you could be Reside's next great band member? Check out our careers page to learn more about great gigs at the Web firm that rocks!