Before circling the wagons, know your needs: financial executives need to focus on critical technology needs and vulnerabilities, and not be swayed by technical jargon and their own lack of knowledge. Establishing priorities and striking a cost-effective balance are critical.

AuthorKaitenheuser, Skip

Before you find the right solution, you need to ask the right question. That's long been a sturdy maxim, but probably never more true than with information technology (IT) security.

[ILLUSTRATION OMITTED]

"Beware the barrage of facts and statistics calculated to belittle an executive's understanding of technical issues," warns Jim Litchko, a former staff chief for the director of the National Computer Security Center. "They promote FUD--fear, uncertainty and doubt--that dire consequences will ensue if the client doesn't fly toward the solutions being sold. This is often peppered with acronyms to keep the technical jargon confusing.

"This isn't an arena where executives, particularly financial executives, can just toss the ball to outsiders, or even in-house specialists, to call the shots," adds Litchko. "These are decisions about risks, priorities and what strikes a cost-effective balance. They require a keen understanding of a company's business operations, overall needs and growth direction, and officials who routinely make such judgment calls. If managers don't lead this effort, it will lose focus, become unwieldy and expenses will slide up."

Litchko teaches network security at Johns Hopkins University and advises managers in organizations from the Defense Department to casinos. He stresses that managers need to approach an analysis like picking up a new card game. "Learn the rules and objectives, then study players' capabilities, motives and weaknesses before building a strategy," says Litchko. "Go for proactive interference, don't just wait for things to happen and luck to intervene."

Assessments start with defining a goal, says Litchko. Why are solutions needed? Are they driven by regulation, law or fear; who is involved; and who should be? What are the individual motivations, and where is the organization in its budget cycle?

Security assessments are cyclical processes that review an IT system's security to determine what the appropriate level of security should be, what the risks are and if there is a contingency plan to recover from any security incidents.

This begins with identifying what information is sensitive, what services are vital and which information must be highly accurate. "A critical judgment call," says Litchko, "is who and what software applications need access to specific information, and when. Then the focus shifts to a system's vulnerabilities and the threats that might exploit them, and weighing the impacts if security is compromised."

It is at this point, after identifying an organization's biggest security concerns, that one can start seeking the right solutions to counter the worries. Then, it's also easier to identify residual risk--where countermeasures are currently too expensive to completely eliminate the threat, and identify a recovery plan if the worst happens.

"You can provide total security solutions, but you can never make...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT