Top to Bottom Best Practice

Aberdeen says best practices for governing security span a wide range of activities, from board involvement to what happens daily within the enabling technologies that support an organization's missions. In between, security is fundamentally about how people interact with information systems.

More specifically, Aberdeen research shows that firms operating at best-in-class levels emphasize repeatable procedures, effective management of data and knowledge, an efficient and transparent organizational structure and strategy, and enabling automation technologies that assist with responses to business pressures.

"Most share this sentiment expressed by one respondent," Aberdeen says. "'There is no such thing as a silver bullet or a single source for security, and there never will be.' But most organizations automate when speed, business cycles or business seasonality force them. Many of the firms humbly admit their security programs still have a long way to go before reaching their full promise."

Aberdeen emphasizes that enterprises must maintain control and security of networks and systems. "Enterprises are struggling with trying to balance flexibility and agility with managing the risk that comes with unfettered access to information among employees, customers, business partners and suppliers."

CIO magazine polled practitioners and analysts for their own list of network security best practices.

1. Assess Your Risk

You cannot hope to cost-effectively secure the enterprise until you have conducted a comprehensive risk analysis. Seek to adopt a risk management methodology that will let you weigh the risks and costs of enterprise-wide protection. This is turn will help you prioritize the strategies for becoming secure.

"The concept, basically, is 'not all threats are created equal'," BioPassword's Wood says. When Wood became CSO at Microsoft he realized that if he signed up to a pledge to protect the company, he was setting himself up for failure. IT pros know their companies are susceptible and vulnerable to attack. Since no operating system is created invulnerable and no network is created impenetrable, nobody can promise to provide total security, he says.

"I knew I couldn't [completely] protect the company, and I knew if I tried, ultimately something would happen and we would fail," Wood says.

Instead, he took a macro-economic view of security, which involved dividing assets into categories, identifying key vulnerabilities against each asset and then assessing the relative probability of an attack against the detailed mitigation perspective he took into the exercise. Ultimately the team was able to come up with a number for each category that represented a high, medium or low probability of an event. "That allowed us to prioritize, if you will, the strategies for getting healthy or getting secure."

Not only did that let him allocate greater resources to the highest risk, it also gave him a way to communicate to the executives the entire risk or threat profile, so that they could understand which ones were not being acted against.

"In my role the most important thing in retrospect that I did was communicate what we weren't going to protect: the problems that we weren't going to fix, because the ones that you address, everybody knows about. The one you get rewarded for is for the attack that's never successful.

"For example, with respect to susceptibility to mass propagating worm virus, we set up a threshold and said 99 percent of the machines of the company, of which there were more than 300,000, would be protected - patched . . . We knew that 1 percent of machines in the environment would always be susceptible to an attack, whether to a worm or a virus or credential harvesting or otherwise, but what we said was 99 percent would be successful, and we had some strategies around the network to make it less damaging if the 1 percent became infected ultimately."

Consideration of the inherent security risks should become a part of the evaluation of any new technology.

"The most important thing to do before getting into the technology, getting into introducing controls like firewalls and stuff, is to actually understand the risk [of the new technology]," says Neal Wise, a partner with security service provider Assurance.com.au. "The most important thing for an organization to do is a risk assessment activity that allows them to ascertain the critical functions of the organization, and that in turn will identify the critical organizational infrastructure that supports those functions, which will include technology."

More often than not, people will jump immediately to the technology aspect of the solution. Inevitably that may come into play, but without actually having strong planning and having a supporting organizational policy and governance, before actually getting into the technology areas of security, you will be basically investing without actually having a context to make that investment in.

Depending on the size of the organization (some organizations will have internal audit personnel who may do some aspects of the risk assessment), the most effective way for many organizations to conduct a risk assessment is to assemble a group of interested stakeholders from affected areas, including technology, organizational management and finance, to contribute to the overall risk assessment. Security should be a consensus activity, Wise says. One person may have the responsibility for collecting the information, but they should acquire that from all parts of the organization in order to gain the complete picture.

"We tend to measure the value of our investments against the risk in dollars that we can mitigate," American Water's Larson says. "That's the business's decision, but the key point is the quantification of risk avoidance value in our investments."

"Really, what it boils down to is having an operational risk focus and driving the ownership of that risk back into the business, because they're the people who can really make decisions about what is the cost versus the risk," says one Australian CIO. "The IT security people are really just there to . . . facilitate that risk assessment but they're not the people who can be saying yes or no."