Calculating risk -- and what to do about it -- has long been one of the most difficult parts of computer security. On the one hand, you don't want to apply so much security that it ties operations in knots. On the other, the risks of insufficient protection can be catastrophic. So how do you quantify risk and apply the right amount of resources to offset potential threats?
Preparing for major attacks is a lot like preparing for hurricanes. They don't hit often, but when they do, all bets are off. Just ask victims like Sony or RSA: One serious hack can cost a company millions. Some companies, such as DigiNotar, are no longer in business. The lucky ones, such as HBGary or Stratfor, simply had embarrassing stuff dumped into the public domain. I personally know of companies that, behind the scenes, have been penalized hundreds of millions of dollars and lost major government contracts due to continued successful hacking.
[ Also on InfoWorld: Paul Venezia draws his own lessons for the data center from Hurricane Sandy -- and they may apply to your facilities. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
The question remains: How do you protect your company from once-in-100-year hacker storms without wasting time and resources?
Kick it upstairs
First and foremost, IT should not make the ultimate risk decisions. That's what senior management does. Yes, IT needs to try its best to estimate the likelihood of various disasters and estimate the cost of protection, including decreases in operational efficiency. But it's up to senior management to determine risk thresholds and acceptance.
Unfortunately, instead of asking management to create its own hierarchy of risk, IT often hurts its own cause by painting generalized worst-case scenarios. If protections A, B, and C are not implemented, the world is going to crash and burn. Management gives in a few times, then starts to lose sight of the overall risk to operations. In the process, IT may begin to be seen as a threat to operational efficiency and profit.
Not a good place to be. That's why it's so important to conjure up a realistic picture based on various business functions. If a hack attack stopped a certain part of the business from functioning, how disastrous would it be? Force the business to make those assessments, and with that hierarchy of concerns, you can map the most critical parts of the business to the most critical parts of your infrastructure.
For any part of the business, high-risk areas such as Internet-facing servers merit protection before anything else. Poor patch management is bad, for example, but poor patch management for Web servers is asking for trouble. If you can't patch all assets at the same time, start with your highest-risk areas and work your way down the list. If you're having problems patching a few computers, don't let that glitch delay the process of patching all the other computers in the queue -- including client systems.
Moreover, not all assets in a high-risk area should receive the same level of protection. A Web server holding static, nonsensitive documents doesn't need the same level of security as a back-end database holding valuable data. A computer on the receptionist's desk should not have the same access or need the same protections as a computer used by network admins.
The best companies identify their "crown jewels" and give them all due protection. That might sound obvious -- but the most prepared companies also ensure all infrastructure supporting those crown jewels is fully protected as well. Identify all servers involved. This usually means DNS, DHCP, maybe Active Directory, and so on. Very few companies have this sort of dependency documentation. They may protect the app server, but fail to take into account everything that it takes to deliver the service.
You can't fully protect everything all the time -- and only management can determine which assets need to be protected most. Armed with that information, you can work your way through your priorities, identify the points of greatest vulnerability, and apply your defenses accordingly. When a storm hits, you may not emerge unscathed, but at least your valuables will be safe.
This story, "Which assets get more security? Make management decide," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.