Feb 23 2007

Lean on Your Common Sense

Avoid three typical information-security mistakes.


Photo: Hot Shots Imaging
Jim Shanks, Executive Vice President and former CIO of CDW

Information security is complex, but it’s still a mixture of knowledge, technology and common sense — leaning heavily on the common sense part of the equation.


Yet somewhere between the knowledge and the common sense, and actually putting security into action, technology managers and security administrators fall prey to several of the same mistakes. Avoiding these pitfalls can make a huge difference in protecting your data or network.

Place security ahead of novelty or convenience. When a new appliance is introduced or your operating system vendor releases a new version, don’t be compelled to jump on the bandwagon. Before choosing to deploy new technology or upgrade old technology, you must determine the business benefit.

You generally have the benefit of firsthand knowledge of how your existing environment works and how to secure it; you also know and may have even fixed many of the flaws and vulnerabilities. A new product may have snazzy bells and whistles, but if it doesn’t help solve a real need, fill a gap or significantly affect the bottom line, you need to strongly consider whether your business should adopt it.

Plan ahead. Bad things will happen. Data centers will catch on fire. Hard drives will crash. A zero-day attack or wild worm will infect and compromise your network.

Trying to figure out what actions to take and who to contact as the incident is occurring just fuels the disaster and inflates the negative impact of the event. The time to figure out what you need to do is when things are running smoothly and the proverbial “stuff” is not hitting the fan. Create an asset inventory, risk assessment and incident response plan so that you can prioritize and understand how to address concerns. Identify which groups or individuals must be involved to most efficiently handle a given incident. Individuals should be designated by title or role, and not name only, so that the response plan doesn’t have to be re-created every time someone changes positions.

Don’t forget to keep your plan in a place where it can be accessed and used during an incident. Storing it as a file on a server in the data center (the one that is on fire now) would not be wise.

Security goes beyond the box. There is no silver-bullet appliance or application you can deploy that will automatically and proactively secure and protect your network. There is no tool or technology to secure your network without monitoring and maintenance. Security is neither a product that can be purchased nor a moment in time that passes. It is an ongoing process that often is as manual as it is technology-driven, and that changes and evolves as the needs of the business and the threat landscape change.

These suggestions are by no means comprehensive. There are a great many more mistakes that can affect your network security. But these three mistakes are, however, among the most common and most easy to rectify.

Still, it’s up to the information technology team to know when and how to apply knowledge and technology to understand the architecture of the environment, the threats that might affect the technologies you use and the needs of your business. IT then must execute on the common-sense part of the equation to make sure that the technologies employed and the processes followed make sense for the business and add more value than risk.

Jim Shanks is executive vice president of CDW, a $6.8 billion technology services company.