Building a Blueprint for Network Security: Page 4
A Culture of Security
This points to the cultural aspect of security — too often users find security measures simply as impediments to their work, annoyances that are circumvented whenever possible. It’s only when a culture of security is instilled into an organization — so that every employee is aware of security measures and why they have been put in place — that security can be effective. “If you get employees involved, there is a far higher chance of succeeding in improving security, and getting employees to keep other employees in line,” Wilke says.
Outside consultants can certainly add value to a security exercise, but their greatest value comes only after it’s clearly understood what needs protecting and once all employees have been involved. “The types of attacks that companies are experiencing is changing constantly, and most companies can’t cope themselves, so it simply makes sense to get outside help,” says Mike Arnavutian, head of security strategy at BT Global Services.
“A security consultant like us can manage security for a company, removing risk and taking liability — and would charge on that basis.” It’s not only expertise that consultants can bring: security specialists can often offer considerable benefits of economies of scale. “If you look at the cost of monitoring and managing a system, it’s often cheaper for outside experts to do it for you,” he says.
Outside companies can also help by providing alternate facilities for use in a disaster, which may often be necessary from a risk management point of view, but which can also be prohibitively expensive to equip and have standing idle.
When is it safe to say “enough is enough,” and relax in the knowledge that the network is secure and all prudent measures have been put in place? Sadly, the answer is “never.”
Security is a process, not a task, and it needs to be reviewed critically and regularly. New threats appear all the time, and measures that are satisfactory one day may be woefully inadequate the next. The only way to be sure that you are doing enough is by understanding that when it comes to security, nothing is ever enough for long.