InfoWorld Home / Security Central / Security Adviser / Win the security numbers game
October 30, 2009

Win the security numbers game

Lumping many sets of security requirements into fewer security bands leads to lower costs, better management, and higher security

| Print | 4 comments|
338 Recommendations

I used to be a Certified Public Accountant (CPA) before I learned that computers and computer security were a better fit. Still, you would think that earning a college accounting degree, working at a CPA firm, and passing one of the hardest professional exams in the world would enable me to do my own taxes. But I'm too scared. The tax code is full of thousands of ever changing laws. There are exceptions to every exception. Believe me, when Congress passes a tax simplification act, CPA firms cheer. That means yet another year when taxes will be treated differently than all of the prior years.

There are so many tax laws that not even dedicated tax professionals, including IRS employees, can get it right. Each year around April 15, U.S. newspapers are loaded with stories of how frontline IRS tax agents could not correctly answer simple tax questions. Who can blame them? Have you seen the size and complexity of the tax code? Exactly how many different laws can one person be expected to know, understand, and enforce with any efficiency?

[ Is your organization moving to Windows 7? Then be prepared: Check out InfoWorld's essential guide. | Tune in to the InfoWorld Security Central channel for the latest IT security news and reviews. ]

Many companies have a similar problem with information security. I've consulted with a number of clients, all with good, intelligent, well-trained security teams, who are struggling to secure a growing number of security domains, each with a different set of increasing security requirements.

The challenge was recently epitomized when one of these clients stated, "I've got 186 different (internal and external) customers with 186 different sets of security requirements."

I sat back stunned. I could not imagine a more impossible scenario short of simply increasing the number. Unless you have a dedicated person or team per set of security requirements, you have no chance of addressing them. It's impossible to make customized, personalized guarantees on such a scale.

Related Content...

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »
4 of 4 comments
Sign In or Register to comment
rrosen 30-Oct-09 9:48am
1 reply
While your fundamental thesis is correct (more security rules, complexity increases exponentially), your email advice, if I understand it correctly, is wrong. If someone has a policy to delete emails after, say, 5 years, it is a big mistake to keep them longer. It allows discovery to go after them and opens the door to other law suits (why did you delete this one and not that one, what are you hiding). It is critical that record management rules be followed to the letter to avoid opening a Pandora's box of problems.
Roger A. Grimes 2-Nov-09 2:10am
>has a policy to delete emails after, say, 5 years, it is a big mistake to keep them longer If the client wants emails deleted after such and such a time, that would be part of the policy and become part of the incorporated band. A requirement is a requirement. My SIMPLE examples set minimum save periods and did not specific mandatory deletion, which is often a part of a more complex email archiving policy.
CyberSamuri 30-Oct-09 10:47am
I found this article near and dear to my heart for you see I'm an Information Security Specialist at the IRS and I'm married to the branch chief of one of the biggest IRS master files. You talk about a CPA having to keep up, my wife is driven every year by Congress making both minor and major changes to the tax code. I don't know how her staff possibly does it but they deliver a working bug-free system every year. And I get to make sure it is secure. I enjoyed both parts of your story and I'm glad that there are people out there who not only understand the complexity of securing today's information systems (I know, I'm old fashioned, it's "information" and always will be "information") but you one of the few who understand the tremdious job the folks at the IRS do each and every year.
BigRonG 30-Oct-09 1:55pm
Let's relate this to the insurance crisis (another current topic). Companies want to pick a set of infinite options to 'fit' their employees (or more accurately to reduce their costs). Insurance companies face the same issues. It is impossible to customize insurance for every company and manage costs in a sensible fashion. Therefore these companies have started creating 'insurance bands' where the customer gets a range of options at a set price. Yes, it is 'limiting healthcare to make it affordable'! Should the government begin to take over these options, the bands will be farther apart and fewer in number. Why? Because the demand for 'cheap' will be even greater than today. Eventually the courts will understand these issues but as with all humans, stupidity and ignorance are often confused. The ignorant judiciary will learn while the stupid will continue to be a wart on the backside of humanity.

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Today's Headlines: First Look Newsletter

Find out what will be news for the day, with our first-thing-in-the-morning briefing.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2009 Infoworld, Inc.