the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

Security Compromises in Information Technology are going to happen. It’s how you deal with them that matters.

It’s a fact that whomever wants to gain access to your systems or data can accomplish this if enough resources are put to the task. The amount of resources that your company spends on protecting your systems and data is typically the only factor that determines whether or when your company experiences its first or next security compromise and also whether that security compromise is even detected.

The first step at avoiding a security compromise is determining your company’s risk, the value of your data or systems, the amount of damage caused by any compromise, and then using that as a basis on determining the resources spent at protecting against a security compromise. How many security professionals does your company want to hire? How much freedom will they be given to interrupt business processes to improve security? How much money and time will they be given to accomplish their goals? How much time will be spent continuously improving the system and training personnel? I know that many company members are reading this article right now that know that their company hasn’t spent anything on information security. There is no perfect security, and no company has limitless resources to throw at it. Your company must simply pick a reasonable plan for the situation at hand.

Hind sight is 20/20. After something goes wrong, it’s going to be easy to see where your company’s plan wasn’t perfect. Or if the plan was sufficient, perhaps the plan was improperly executed, or perhaps the proper amount of resources hadn’t been utilized to execute the plan. Whatever you do, don’t blame the plan, as long as it was reasonable given the information available at the time. It’s time to assess how the plan needs to be adjusted.

Don’t pick a scape goat. It’s unfortunately easy for a company’s executives to decide to fire the security personnel after the company suffers a financial loss due to security compromise. In my opinion, that is the worst thing to do. When a company has a security compromise, the company has found that it did not put sufficient resources on the task. It’s time to hire more security personnel, not fire the ones that it has. It is extremely rare for a company to have a security compromise that was caused by the negligence of security personnel. Usually, compromises are the result of short sightedness and apathy by the company to establish a plan, or to execute it. Usually the security peronnel knew what needed to be done, but the company was hesitant to put the resources into accomplishing those things that were needed. Again, hindsight is 20/20. As long as your security personnel did what the company told them to do and gave them the resources to do, they can’t be blamed for a security compromise that was unexpected. All security compromises are going to be unexpected. A compromise will never show where your protections against them were sufficient, but rather only where they were not sufficient. If you weren’t ready to fire the security personnel before the compromise due to the lack of a reasonable plan given the information at hand, then they shouldn’t be fired just because there is new information.

When an organization has a security compromise, it’s time to hire a security consulting firm and probably some lawyers. It’s time to adjust the plan and to keep moving onward with the mission. It’s not time to have a blamestorming meeting.

However, it’s never too late or too soon to put more resources toward preventing your first or next security compromise.