Managing security complexity is the number one obstacle that enterprises face today, according to a recent Check Point and Ponemon Institute survey of over 2,400 IT security professionals. With the prevalence of data loss and the proliferation of Web 2.0 applications, mobile computing and the rise of sophisticated, blended attacks, it is no wonder that businesses—regardless of their size—are struggling to keep up with the evolving threat landscape.
More and more companies are realizing that security must be a more central part of their overall IT infrastructure, to achieve the level of protection that they need in the twenty-first century business environments, companies should consider implementing a blueprint for security that goes beyond technology and can engage employees in the security process, and ultimately, helping organizations align their IT policies with their business needs.
Also read Jennifer Bayuk's How to write an information security policy
In order to transform security into a business process, organizations should consider integrating three critical dimensions of security: policies, people and enforcement.
- Policy: First, customers need to start by defining a policy that is widely understood in the organization. These policies should be presented in simple business terms, not just technology terms. Most organizations today do not have policies that are easy to understand, and they often neglect to inform their employees of these policies. To enforce better security across all layers of the network, organizations need to be able to see the security solution from a holistic view—see where and how all the technologies fit together in order to understand where risks may reside.
- People: The second and most important dimension of 3D Security is the people, the organizations employees. Internet use in the office has changed dramatically with the wide adoption of social media and Web 2.0 applications. Security used to be handled by simply blocking specific applications, ports, protocols, or web sites entirely; however, as web applications have evolved, businesses have recognized many of them as valuable methods of communication and collaboration. However this recognition has challenged IT administrators with protecting the organization against a wide range of new and emerging threats, without inhibiting employees or stopping the flow of business.
At the end of the day, users are a critical part of the security process. Indeed, it is often the user who makes mistakes that result in malware infections and unintentional data loss. Most organizations do not pay much attention to the involvement of users in the security process, when, in fact, employees should be first in line to be involved and included in the process. They need to be informed and educated on their organizations security policies, as well as on their expected behavior when accessing the corporate network and data. Just as they can bring security breaches to the organization, users can also play a large role in minimizing them, provided they receive proper training and information. At the same time, security should be as seamless and transparent as possible and should not inhibit users or change the way they work.
- Enforcement: The third dimension is enforcement. Security is about gaining better control over the many layers of protection. Unfortunately, corporations often find themselves losing control over the disparate policies from the many various solutions that they use which can create greater IT complexity or security holes in between point products. By combining three critical elements policies, people and technology organizations can enforce security as a business process. This all needs to be done in conjunction, ensuring that all these layers work together from the users, to the content, applications, data and the network all layers of security should act together. Again, enforcement of security needs to happen with a holistic view to ensure all policies when enforced dont leave gaps and preventing threats, not just detecting them.
To improve security, organizations need to accomplish a better understanding of their current environments and outline their top priorities both short and long term initiatives. For example, businesses today have cited governance, risk and compliance (GRC) as the top security priority for 2011 followed by securing endpoints, protecting against evolving threats, data security and securing virtual environments (Check Point and Ponemon research, 2011). Achieving 3D Security is not about deploying products and accumulating technologies its about raising awareness about todays security challenges, providing best practices to organizations, and linking them to high-level business needs and strategies. By educating end-users and consolidating security with a holistic view of the organization, companies can minimize IT complexity, while enabling the business.
Juliette Sultan is head of global marketing at Check Point Software Technologies.