In the first decade of the 21st Century, business and government face an unprecedentedly complex, fast-changing, and little-understood threat landscape.
Against a backdrop of global economic and political instability, new and virulent strains of fraud, terrorism, and computer-borne attacks have emerged - and continue to emerge and evolve - as major risks to the enterprise.
Mitigating these risks is not an option: this is true not only as a matter of business common sense but also, more and more, to comply with the law as governments around the world attempt to address the various problems at the legislative and regulatory levels.
How should executive leaders deal with this new reality? Here are the core principles that guide our strategic approach to protecting an enterprise's profits, assets, reputation, and viability.
What is holistic security?
It is a methodical, top-down approach where the security of people, assets, products, processes, and information are coordinated under a single executive line of authority and a single policy that is tightly aligned with the enterprise's overall business goals.
Holistic security is practicing risk management instead of "black-and-white" physical or information security. It is the opposite of "silo security" which attempts (and increasingly fails) to separately and distinctly secure people, assets, products, processes, and information without recognizing their interrelated nature.
Silo security is putting up a firewall or intrusion detection system without physically securing the equipment it resides on against access by unauthorized company insiders or "social engineers". Or installing a video surveillance system without protecting it from being hacked over the Internet.
Silo security is a holdover from the days not long ago when physical and information security were unrelated. The corporate security department concerned itself with "guards, guns and gates", while information security was an esoteric discipline, handled largely as an afterthought by the IT department. The two sides rarely, if ever, even spoke, let alone coordinate their efforts. There was no need.
That all started to change when networks and the Internet came along, resulting in information becoming a distinct asset -- not only an asset, but a critical one, and in an increasing number of enterprises the MOST critical one. It changed definitively when a wave of attacks on information assets (employee laptop theft leading to consumer identity fraud, for example) brought serious financial consequences to corporate victims in the form of lawsuits, fines, and worst of all loss of customer and shareholder goodwill.
In the post-mortem meetings, it was impossible to point the finger at either corporate or IT security: both groups were partly responsible but, as previously mentioned, cooperation between the two was next to nonexistent and there was nobody in the executive suite charged with mandating and enabling such cooperation. The result, in many organizations, was creation of a Chief Security Officer role, which brought the two areas under "one roof": a single line of executive authority and accountability, and a single enterprise-wide security policy.
This is how the trend toward holistic security management started. It happened first in those industries with the most to lose: financial services and government; but it has since spread to all sectors of the economy. In 2008, it is still only a trend, however, with many companies still practicing silo security.
The key point is that silo security is a legacy strategy which made perfect sense only a few years ago, but today does not address the most critical security risks that an information-driven enterprise faces, and thus it may be tantamount to negligence. If your organization is still practicing silo security, now is the time to re-evaluate your approach.
Other pages:
This is the text-only version of this page. Click here to see this page with graphics.
Edit this page |
Manage website
Make Your Own Website: 2-Minute-Website.com