The IT Agenda: Security: Set It, Don't Forget It

Security vendors spend tons of money on sophisticated marketing programs, and we buy into it.

December 5, 2003

2 Min Read
Network Computing logo

What's a CSO To Do?

It's not easy to combat that all-or-nothing mindset, but there's good reason to try. Think of your network as a formal garden. The design, preparation and implementation phases are the costliest and most labor-intensive, but if you don't tend the garden regularly, you'll end up spending far more money and time to rescue it from disrepair. Ongoing maintenance is the only answer.

So who's responsible? It's a shared obligation. Vendors must articulate to their customers from the start that maintenance is required--that no network is or ever will be "set and forget." This is tough to do when you're bombarded by overzealous salespeople spewing, "Our product will scale mountains and save your children from vicious wolves" drivel, but smart, forward-thinking reps know that solid customer relationships prove more valuable in the long run than relationships based on hyperbolic claims aimed at making a quick buck.

Customers, in turn, must commit resources for upkeep, starting at the budget planning stage: If you can't allocate enough money for maintenance, don't take on the project. Maintenance details also must be set from the beginning, and processes must be standardized and formalized to ensure consistency even through management or employee changes. Be succinct and specific--a three-inch binder is much less likely to stay a living document than concise checklists with references to more in-depth instructions where needed. Of course, common training and certification--CISSP's common body of knowledge, for example--help keep things even; but you also need to address any ground rules particular to your organization. Once you start writing out maintenance policies tailored to your shop, you'll identify deficiencies and, ideally, you'll fix them.

Products and services come and go; only process lasts forever, and even process requires attention. It's a sucker bet to keep buying the latest, greatest protect-O-matic products if you don't modify your maintenance practices accordingly. And sure, it's fiendishly difficult to change organizational processes (John Kotter's management book, Leading Change, provides some invaluable suggestions in that regard), but retaining a "set it and forget it" attitude means your network will get nailed by the next Blaster worm ... and the next one, and the next one.Jonathan Feldman

Post a comment or question on this story.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights