Print Friendly, PDF & Email

Command an Incredibly Realistic Approach to IT Security

Currently, one of the highest IT skillsets in demand is “Information Security”.  Unfortunately, this is also among the most controversial regarding approaches to take.  Just like networking and app development solutions, there are multiple ways to approach IT Security.  This relates to its crude early history in the initial founding years.  As a growing and developing book of knowledge within IT today, understanding a brief history help in appreciating its current benefit to operations.

Security Years 1991-1999

Although the first big malware began in the early 80s, IT Security started to become “a thing” in the early 90s when the Michelangelo virus was experienced as a wide concern and the Internet had begun its enormous growth surge worldwide.  This was the first generation of Information Security as it tried to formulate justifications for making impactful changes.  Unfortunately, the implementations of changes were expensive and error-prone, as were many IT changes during this period of time.

From 1997-1999, the most costly IT changes were experienced worldwide as a valid requirement to combat the upcoming Y2K challenges.  This forced both hardware and software upgrades, including desktops, laptops, and servers.  Needless to say, after Y2K was implemented, the world was tired of IT changes and the expenses involved.  The thought of IT Security implementation changes was just a small blip and difficult to justify at that time.

Security Years 2000-2002

Many IT Departments went through an extreme budget cut as part of post-Y2K in the early 2000s.   The entire IT industry collapsed quickly in early 2000.  As an example, one Fortune 100 corporation cut all IT by 25% during Jan-Feb, 2000.  Projects were cancelled and IT Departments were down-sized with 30 days notice.  The focus shifted to the most sizable IT cuts to be in projects, training, and security.  Even CSO (Chief Security Officer) positions were being eliminated.  The IT industry was slowly beginning to see some small recovery in mid-2001 until 9/11 occurred.  Then, physical security and military defense overrode the private sector’s IT industry and IT Security in general.

Security Years 2003-2005

As time moved on, viruses began to take significant notice in 2003-2005, IT Security in the business world slowly began a return and this forced a modest overall IT industry growth.  This time, however, the old idea of the “fear factor” was now known not to be tolerated as a sole justification.  When IT Security issues caused a loss of money and clients, it was very easy to justify shifting resources to address those issues.  Over a fast period of time, the permanent need for IT Security was now accepted.  This business time period is considered “IT Security Gen 2”.  The need for a logical and business approach was key for IT Security survival.

Although awkward at times, IT Security evolved into now including a “likelihood” factor to be included in explaining security risks.  The business side of operations appreciated that realistic added factor.  Management could relate it to being similar to its own practices of reviewing trends and forecasts with statistical approaches to support changes and implementations.

Information Security Today

Currently, IT Security is a known valued addition to any operation.  It is also now widely understood that there is no such thing as 100% secured software nor hardware worldwide.  Moving forward, decisions regarding IT Security are commonly based on likelihood stats of risk combined with the cost of loss and available resources.  The biggest current issue is the conflict between available IT Security resources and the business impact of changes to the operation.

Today, as an added historical concern, there are sometimes local IT security forces who are attempting to override the likelihood factor by focusing more intensity on the “potential loss and damage” as a sole security scenario.  In other words, the tendency has been returning to the “fear factor” thought process as the single factor for forcing change.  So, in the management balancing of today’s IT Information Security, there is a need for improving on the following areas:

  1. IT Infosec staff’s EQ (Emotional Quotient), aka Emotional Intelligence.
  2. Using risk activity trends and forecasting (nationally, globally, and by industry)
  3. Return with emphasis towards likelihoods of a risk scenario.
  4. Implementation and Maintenance Costing of current and recommended changes to security.

With that said, here is an overall list of aspects to consider as an approach to IT Security in current times.

  • Follow NIST Standards as a Guide.  One size doesn’t fit all industries or organizations.  Your security approach must work with your Operation, Resources, and Customers.
  • Be Open to current, developing approaches.
  • “The Fear Factor” is old school from the 90s; it failed.  Think reality with “Applied Security” that can be reasonably implemented and maintained in the future with affordable resources.
  • All involved should understand that “Time” is a resource that equates to labor current availability and labor current volume-of-work capacity.
  • All involved also should appreciate that all changes to be implemented will subtract from current work, unless there were pending layoffs that will be postponed or if resources are to be added.
  • Acquire a 2nd Opinion or Summary Review before Major Implementation Changes take place, if time permits.
  • Embrace approaches using Risk Management skills involving estimated likelihoods of occurrence.
  • Use security people who are interested in working and caring for the business or organization for improvements.  That can be more important than their highest security certifications.
  • Implement security operations, procedures, & policies that can be maintained not just for the budget you had when they’re implemented.  Your security systems and methods must be adjustable during times of reduced budgets.  Don’t make it such an administrative, systems, and approval-based layers nightmare that you have to expend sizable resources to reduce it down later.
  • Security Training is important; the individual is the weakest link.  Use a 9-month recurring training approach instead of annual 12-month training for staff.  Have “Refresher Training” for those who experience additional security issues or concerns.
  • Significant security changes typically impact a workforce’s culture and may create an emotional resistance, including from management.  Having some employees getting onboard in advance will help.  There must also be senior management support in advance.  So, appropriate approaches to address an upcoming big change could involve:  1) down-to-earth simple lay language to explain the need for the change, 2) mention the resources expended, 3) the benefits to be experienced, and 4) the logic and business decisions that decided the types of changes.
  • Use the earlier listed items that are potentially needing improvements in the IT Security area.
  • View some of our services that apply in the Information Security arena.
cyber security 10
Internet THREAT MAP

Internet Security THREAT MAPS

Here are some current Internet Security Threat Maps.  Each has its own different sources of detection, layouts, and available threat types.  For example, some focus on Denial-of-Service attacks and some on SPAM attacks.  Some are realtime and some are delayed data “playback”.  If one doesn’t say “realtime”, it doesn’t necessarily mean it’s not.  Some load quicker than others but the slower ones were not included in this list.  Some are more intuitive than others.  Each will open in a new window (as denoted by the 3 dots …)