Security Survival Guide (cont.)

Beating the bad guys at their own game

At the heart of the new pragmatism is looking at security as a risk management issue. Rather than trying to eliminate all potential threats, you instead prioritize risks, decide which risks are most important to avoid, and then focus resources on preventing those breaches in security. "One of the first steps that organizations have to do if they haven't done it already, is to understand what their asset base is, where that asset base is at risk, and whether that asset base is vulnerable," says Allen. "We're now beginning to see inklings of the convergence of the business continuity community with the security community because security events are going to happen."

At Wyndham, for example, Armstrong's approach to threat management includes vulnerability assessments, a policy program, intrusion detection, extensive monitoring, and correlation of all of that information into metrics and reporting.

Talk to me

Whether you're creating a new security strategy or revamping an existing one, maintaining close ties with other parts of the business is crucial. Leveraging the corporate culture whenever possible is also important. "Security today is as much about building the relationships as it is about implementing the controls," says Armstrong. "It's not about fighting the culture. It's about figuring out how you can insert yourself into the culture." Creating a security council that includes stakeholders from across the business, for example, will help forge stronger relationships. "Having a presence 'building relationships' with people across the business means there will be understanding and respect for your message," says Orner. "Otherwise, it's just a policy coming from corporate and nobody really embraces it." Carlson, Wyndham, and Standard Register all have security councils that meet quarterly, and are actively involved with various aspects of security.

Education is also crucial. "We've embraced security awareness and training for all employees because information security cannot be achieved without people," says Orner. "If you put the best technology in place but then somebody decides to post their passwords on stickies or not encrypt their information in emails, then it's ineffective."

Explaining the rationale behind the strategy also opens the door to other conversations. "My approach for my team is 'never tell them no' and to offer options instead," says Spurlock. "Then they are more likely to come to you when they are implementing a new solution or they need help."

The bottom line

It's trust and your relationship with the customer that may suffer the most if a security event occurs. "I believe the most serious incidents are those that affect a company's reputation," says Allen. "Many of the organizations we work with are much more concerned about reputational risks than financial risks because a damaged reputation is so difficult to recover from."

Looking at it another way, guarding your reputation as a secure organization can translate into a distinct advantage. "Information security is a top priority at Carlson, and we believe that being a trusted company and having customers know that their information is safe with us is a competitive advantage," says Orner.

Louise Fickel has written business and technology articles for such publications as CIO, InfoWorld, Profit, and Network World.