$content.source -- $content.source.name -- $content.altguid

What IT folks can learn from the acrimonious Arizona Immigration debate

Max Huang says the biggest lesson is that one-off solutions can bring about more problems than solutions

By Max Huang, O2 Security

September 02, 2010

I'm not much of a political junkie, mostly because I think a great deal of the discussion ends up being a shouting match between people of different parties and loses its solution-solving capabilities. Nowhere have I seen this more apparent of late than with the heated debate related to the Arizona Immigration Law. To be honest, I'm no longer really cognizant of the substantive points surrounding the issue.

However, it dawned on me recently that I've seen this saga before, but in a different context. On certain occasions, I've seen CISOs execute well-intentioned responses to one particular threat or instance that fall outside their existing security policies and leave other aspects of their networks exposed or, at the very least, disconnected. The discovery of this back draft usually precedes a "finger-pointing" evolution, pitting employees and supervisors against one another with the underlying question being who didn't see the negative effect coming.

Also see Huang's 'What the Gulf oil spill can teach CIOs about disasters'


Here's the bottom line. IT security cannot and should never be conducted in a vacuum. Instead, strong care and consideration must be taken to ensure that not only does it fit within a more comprehensive communications infrastructure, but also one that directly benefits the organization's overall strategic goals. It's easy to follow the latest threat, but the real benefit is in a security plan's preventative capabilities. So before the next CISO starts a heated argument with his CIO counterpart, I would suggest that person count to 10 and ask themselves these three basic questions.

1. Are the basics covered?
Reacting to the latest threat without having a solid security foundation in place will only lead to more problems. Ensure you've got fundamental protection in the forms of secure VPN access, unified threat management and email gateway systems before adding other layers to the mix. Doing otherwise would be the akin to a baseball team taking the field without a pitcher; the game won't start unless someone's there to throw the ball.

2. Are the priorities set?
Often the biggest reason security policies and practices fail is in their approach to solve all the problems at once or react to every issue as it happens. Doing so can stretch resources too thin to be effective. The key is to set priorities as a function of the level of risk to the organization as well as the company's ability to scale. A periodic reassessment is also a wise move. Cyber threats are continually evolving, and so should a firm's network security posture.

RESOURCE CENTER