Business Initiatives and Corporate Goals

Previous page
Table of content
Next page

Dan Langin's views in the preceding section make it clear that legal action can be taken against a company when its security fails. Yet, even though the threat of a lawsuit hangs overhead, security is often an afterthought after the network is installed, after the data-base is deployed, after the code is developed, after a serious attack causes damage. And when security fails, the biggest constraints in deploying security are often tied to management, such as budget constraints, lack of training, and policies that don't exist.

Executives often hand off the responsibility for security to systems administrators without giving them adequate funding to deploy the controls needed to secure and maintain the network. Because security is not included from the beginning, some executives seem to think it can be simply left out of the budget, and security becomes a moving target. For example, an executive may think he or she can hold off on intrusion-detection software until next quarter. Before you know it, a year has gone by and that CIO has left. A new CIO comes in and delays the purchase for another six months.

Security has a higher success rate when it is tied to (1) business initiatives and (2) a corporate goal. First, Costa Corp did not include IDS software as a necessary component of its e-commerce initiative. When that initiative went over budget, management felt it had to take funding from other efforts. Management decided to hold off buying the IDS software that was in the budget, had been approved, and had passed the evaluation testing by the security team. Instead, that funding was put into the e-commerce budget. The intrusion-detection software that was needed to protect the corporation was put on hold.

When security supports business initiatives, executive management will usually fund such efforts. Had management showed that the intrusion-detection software was scalable, had high-speed detection capabilities, detected known and unknown threats and supported the e-commerce business initiative the effort could have been funded. Furthermore, a deal could have been negotiated for a site license to protect the entire infrastructure.

Second, you can get security funded by tying it to the corporate security goal. An example of a corporate goal: to ensure the integrity of the data. A corporation whose goal is to ensure the integrity of its data shows an executive commitment to security.

A security officer, system administrator, or manager lacking a way to tie his or her security initiatives to a corporate goal will have a difficult time justifying the budget and can fail when up against other IT initiatives. Unfortunately, many corporations have not yet articulated security as a corporate goal. With threats on the increase and more sophisticated attacks looming over the horizon, those corporations may be sitting ducks when duck season opens.


Previous page
Table of content
Next page
IT Security. Risking the Corporation
IT Security: Risking the Corporation
ISBN: 013101112X
EAN: 2147483647
Year: 2003
Pages: 73
Authors: Linda McCarthy
BUY ON AMAZON
Java I/O
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Oracle Developer Forms Techniques
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy