The year of PKI
The year of Identity Management
The year of Intrusion prevention
OK - you get the point
These all sound so good, and easy, just install x and all of your problems will be solved. However, we all know it is never that easy, and that most "silver bullet" solutions require that the underlying processes, and information they are meant to protect must first be understood, documented, and classified form a risk perspective. This is where most of these solutions fail to provide the protection and ROI that the salesperson will tout in their presentation. Ignoring the boring and long process of understanding where the data is that we need to protect, and how that data is used will certainly lead to security dollars being applied incorrectly, or over or under spent in certain areas. Documentation is not fun, and it is not as impressive to present to management as product x, which can be much easier to illustrate - see Mr Chairman, it is right here in this box with the pretty lights. However, only by understanding where the data is and how it is used, can we set about protecting such a valuable asset. Process documentation and procedural adherence to the processes and policies, has a measurable impact on the organization:
- It keeps the auditors happy
- It makes IT, and the business as a whole more efficient
- When something does break down in the process, it is less of a mystery to discover what broke
So I am proposing that 2008 is the year of documentation and processes - now doesn't that sound exciting?
No comments:
Post a Comment