“Panic is too strong a word,” explains Ed Shapland, senior manager, Security and Network Infrastructure with Cap, Gemini, Ernst and Young’s Critical Technologies group “Recent events starting with the terrorism of September11 have certainly raised the awareness of senior executives to the security issue. More eyeballs means more funding. These are all good things,” he says. But, Shapland also cautions that there is a real danger today of letting current events drive the security planning process. There is a lot more involved.

Shapland would like senior managers to think out of the tactical box about broader business-driven security planning agendas. This is important, he believes, in order to not craft security solution, which are simply bolted on as need arises. A classic example is the Wall Street Journal, which was able to print its September 12, 2001 edition from its alternate site in New Jersey even though its headquarters next to the World Trade Center had been knocked out. That’s strategic planning at its best; the consequences of a reactive approach in this instance would have disrupted the business severely.

The Internet, according to Shapland, drives so much of today’s business. One of the cornerstones of e-business is collaboration with scores of partners – an e-business value add. But this collaborative process also introduces security threats he says. If an enterprise does not have policies set at the highest levels to both encourage collaboration and identify the security exposure resulting from this collaboration it is headed for trouble. Collaboration with the enterprise’s ecosystem is an e-business necessity, but so is analysis of its limits for this specific business environment and codification of the same in clear and succinct business policies. Another example of business driven security planning might be the current push to implement sophisticated access systems. “It’s easy to mandate that all access will be driven by fingerprint technology, but implementing that might use up the entire security budget,” he says.

“Many security projects have been derailed because they were the product only of the company’s security department. The first thing we want to know is who is top- level endorser? It must be a CXO level executive. Without this critical sponsorship, the project has little chance of success. Then, I’d want to explain that in today’s fast moving environment there is no room for the old fashioned static security planning process, where a security plan was created with a view to updating it every three or so years. That just doesn’t work any more. The process today has to be dynamic, adaptive and always coordinated with the security and IT departments. The IT departments are the implementers, so they must be involved from step one. And, finally, as I have mentioned before, inject some business realism into it.”

At this stage Shapland’s methodology can take two directions: Either a vulnerability assessment, which analyses the current corporate security environment and identifies the holes; or, invites the company to share its security policies, and the thought process which has gone into them with Shapland and his team. The latter is particularly useful in determining the level of strategic thinking embedded in the company.

Excerpt from ebizChronicle.com, 06/25/02

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access