9.Avoid Common Mistakes

One common area of weakness lies with standard software engineering practice, which frequently leads organizations to unwittingly develop insecure software.

"Many software engineering practices like cohesion, coupling and usability actually guide you to an insecure design. Understanding the difference between security and functionality when designing and testing is essential," Whittaker says. "Standard, off-the-shelf software engineering process is fraught with peril that too few within the developer community, generally speaking, do not understand fully."

Another area organizations consistently overlook is information classification. Many organizations have no concept of degrees of secret/confidential/private information.

"Information assets should be identified, clear ownership and responsibility for maintaining and preserving that data established - including access control for use, backups, and the like - and this should be communicated to the organization," Wise says. "It's difficult to deal with given the forms information can take - electronic, printed, stored copies, and so on. Having a clear indication of the "value" to the organization of information, and the related systems, people and processes, can help an organization prioritize security efforts and investment."

Wise says organizations have too often rushed to implement technologies like wireless and VoIP without considering the security implementations (see "Dial VoIP for Vulnerability", CIO February). "Wireless and now potentially VoIP are wonderful technologies and are great enablers but if they aren't properly planned, implemented and then managed after that has occurred, they become significantly risky for the environment because each of those type of technologies if introduced become an immediate source of risk - especially wireless obviously because of the fact that you're extending the network outside of the physical premises where you have the ability to control it."

Giving insufficient consideration to policy is another common failing Wise says, with far too few organizations revisiting security policy and governance on a regular basis to ensure they remain applicable to the organization.

10.Don't Forget Your PCNs

As security becomes more complex and increases in scope, there is an evolutionary situation under way as CIOs are charged with overseeing Process Control Networks (PCNs).

For example, in the US the government has instituted NERC 1300 after the experience of the Midwest blackout. In Australia, the federal government has recently mandated a review of "critical infrastructure", with an emphasis on power, water supplies and government networks.