It's the time of year to reflect on the good security choices you've made over the year, the defense-in-depth strategy that you've decided to follow, and plan for your response to future threats and virus outbreaks.
It's an excellent time to review and reflect on your organization's security strategy, to see what's working and what's not. For this month's column I'm going to pose a number of questions that can help you review your environment and plan for future threats over the coming year.
Review your infrastructure
Your organization's underlying infrastructure is one of the most broad and all-encompassing areas of your IT environment, and it affects security at every level -- including the propagation of viruses and worms. Is your defense-in-depth implementation working? Or are you still vulnerable to leakage, such as via a mobile workforce that picks up viruses while on the road? Virus infections from traveling employees with laptops are, unfortunately, a fact of life but the threat can be minimized through proper strategy, planning, and the quarantining of infected machines. You can also look back at threats you've seen over the past year. How well did the security team respond to the most recent virus threat, and was it contained within a short period of time? Have you calculated the cost of responding to that threat?
In your infrastructure planning, have you implemented a centralized desktop management strategy to enforce security policies, restrict network access, and manage security updates to supported applications? In addition to current AV software, this approach alone can have perhaps the greatest impact of minimizing the spread of viruses and worms.
Large organizations without a desktop management policy today can receive full ROI easily within a three year planning window, and in many cases much faster than that. A centralized desktop management approach can be an excellent method for distributing security patches for both the operating system and your applications, and prevent the spread of malware.
Review your applications
Do you have an identity management and/or a single sign-on password strategy? With fewer passwords for users to remember, it is much easier to enforce a policy of strong passwords and enhance the security of your applications. Easily guessed network passwords such as ones like "password" and "123456" are now built into many viruses and worms, and these must be eliminated. To that end, have you implemented multi-factor authentication yet? And if not, why not?
Have you evaluated the security of your user's web browsing habits? In other words, have you come up with a plan and timeline to replace Internet Explorer? There are far more secure (and standards-based) browser alternatives now, each built on a different security model and most without the legacy of Internet Explorer's dozens and dozens of critical security flaws. Or if your organization has chosen to continue with IE as your browser of choice, have you developed a plan to implement multiple layers of spyware prevention, along with the weekly updates that each of these solutions require? Which approach do you anticipate with have a lower support cost?
Review your spending
Is your annual security budget increasing or decreasing? I would venture to guess, almost across the board it's going up. How much are you spending with different vendors? Now would also be a good time to determine if you are too reliant on any one vendor for your security needs, which can quickly throw a wrench into your defense-in-depth plans.
When reviewing budget projections for the coming year, it's too easy to put faith in new hardware or security appliances which may or may not solve an existing threat. In your planning I would encourage you to consider the human factor, your employees and consultants, as your greatest asset to thwart or respond to security and virus concerns.
Whenever there is a security threat to be managed, there is a cost associated with that threat. Speculating on the direction of future viruses and malware on non-Windows platforms (as justification for sticking with the status quo) is far less useful than evaluating and making decisions based on the current environment today. I would encourage those managers considering lower cost desktop alternatives like OS X and Linux to factor in the costs of managing the virus threat, responding to virus threats, anti-virus applications and updates, spyware application deployments and updates, all into their ROI calculations on managing the desktops as a whole.
Plan for the future
The adoption of web services for key corporate applications has greatly reduced your dependence on any one operating system or platform. This was part of the vision seen way back in 1994. Now that your accounting and payroll system, human resources management, calendaring, messaging and document management offerings are all available through a web browser, it's time to finally evaluate alternatives to the platform you've chosen to support as a client desktop. Take a step back and review how far you've come, but also your continued reliance on any one platform. It's a very useful exercise to evaluate alternatives where far, far fewer viruses exist (if any, as is the case with OS X) and see what the cost of supporting and switching to those would be.
As critical applications continue to move to a web services model, via standards and emerging standards such as XML and SOAP or .NET, are you confident that your choices are safe and secure? If you can agree that the browser is now a critical client application in your environment, then why are you still tied to a single operating system, platform or vendor? And is that reliance on a single platform required for everyone, from the secretary to the Senior VP?
Finally, it's good to take a step back and ask if, on your client desktops and back office servers, it is still wise to invest almost all your eggs in one basket. I believe this is the most pragmatic approach. I'm not going to delve into any discussion of monoculture or monopoly here, instead let's simply ask the hard question: does the security track record of your current vendor show they are a company that you can trust? Their actions must speak louder than their words. What are competing vendors doing in this space, and are their track records for responding to security threats any better?
This Christmas season, take a step back from your day-to-day routine to look at where the security of your IT organization is really headed. Some abstract thought, before diving into the hard numbers, can be a great way to come up with a good plan.