These are the facts: Many companies have piecemealed their security capabilities. Because of this, auditors frequently hammer away at large enterprises, writing letters chastising the companies for their lack of appropriate internal and external security. At the same time, smaller organizations are scared to death of viruses and worms, while small dot.coms are painfully aware of their need to ensure that Internet-based transaction processing is secure. As business-to-business (B2B) e-commerce picks up, organizations will have no choice but to deploy digital signature, public key infrastructure (PKI), and perhaps even biometrics authentication technologies. This stuff is getting very complicated very fast.
So how should organizations migrate from where they are today to where they’ll inevitably need to go?
There are three watchwords that we ignore at our own peril: integration, interoperability, and solutions. Take a look at the figure below. Look at all the pieces of the security puzzle and see how deployment is dependent upon the integration and interoperability of a ton of technologies, products, and services. Your in-house IT organization can handle some of these technologies, products, and services, but some are well beyond their capabilities. Who owns integration? Who makes sure that all the technologies, products, and services interoperate? Key here is the development of a comprehensive security policy that defines a security architecture, which describes how authentication, authorization, administration, and recovery will occur inside and outside of the corporate firewall. But who should own the pieces of what should become your security solution?
Regardless of how many disparate security pieces you have today, you probably have too many. If you have more than one redundant or overlapping security service level agreement (SLA} you have too many. And if you’ve distributed security accountability across your organization, your security efforts are diffuse, at best, and dangerous, at worst.
Here’s the deal: Since just about every business on the planet will have to integrate its traditional business model with models that exploit Internet connectivity and soon, pervasive computing, bulletproof security will become a transaction prerequisite. Since just about every business has under-spent on security, they will have to find additional resources to solve the inevitable problems that distributed business models will create. All of the authentication, authorization, administration, and recovery problems will have to be solved by stitching together a variety of technologies wrapped in products and services. What will these technologies be? What products will you use? How will you support them? Can internal IT staffs cope with all of the changes?
Some advice: Unless you’re a security products or consulting company, get out of the security business. If you doubt the wisdom of this advice, stare at the above figure for five minutes. Can you cover every cell in the security matrix? For most, the answer will be no. At that point, you’ll realize it’s time to consider outsourcing security to vendors who can provide reliable, integrated, and interoperable solutions. But this advice does not extend to the specification of security requirements or the development of security policies. It’s always prudent to own the requirements and specifications that make up your strategy, and to optimize the implementation and support of that strategy, the tactics. In other words, it makes sense to in-source strategy and outsource tactics.
Finally, remember that success here is defined only around solutions – the integration of technologies, products, and services that work together as seamlessly and efficiently as possible. You need a single point of accountability that really gets your business. You need killer security requirements analysts who can specify security policies and architectures, and you need professionals who can manage the implementation of those requirements through the creative synthesis of security technologies, products, and services.
Your solution will be a hybrid that integrates some existing technologies and processes with a new set of technologies, products, and services that span the above matrix. The technology architecture must be flexible and scalable enough to integrate new technologies-PKI, smart cards, and biometrics, for example-and reliable enough to inspire confidence among your employees, customers, and suppliers. In addition to the myriad technologies, products, and services that support authentication, authorization, and administration, you need to take to make sure that you can resume business if you’re temporarily hacked into non-existence. Business resumption planning is yours but recovery tools, techniques, and services belong to your outsourcing partner.
It’s time to realistically assess what you can and should do to satisfy an increasingly complicated suite of security requirements. Unless you’re really special and very lucky, it’s time to call in the cavalry. Find a solid security systems vendor and stop worrying. The phrase “stay with your core competencies” didn’t semantically infiltrate the IT lexicon because it was pretty; it’s there because it’s meaningful.
Steve Andriole is the founder & CTO of TechVestCo, a new economy consortium that focuses on optimizing investments in information technology. He is the former senior vice president & chief technology officer of Safeguard Scientifics, Inc. and the former chief technology officer and senior vice president for Technology Strategy at CIGNA Corp. His career began at the Defense Advanced Research Projects Agency, where he was the director of Cybernetics Technology. Reach him at: [email protected].