The problem is a combination of two things. The first is the way that networks have grown organically. Devices and systems typically proliferate to answer immediate business needs, but with little regard to long-term security issues. The other problem relates to the nature of security itself.
"It tends to be reactive," Shields says. "It's like 'we just got attacked," or 'so-and-so just got attacked and we have to do something. let's get a box.' Organizations concentrate on what they think are the likely risks without knowing exactly what risks they actually face, and that's just not enough."
Develop a security policy: With all the talk about the need for procedures and governance in security, it might come as a surprise that security policies are not all that common. "You'd be really surprised at how few organizations actually have a policy," Shields says. "Most have a acceptable use policy that says 'don't look at pornography or run a business on company systems, but not a real security policy."
The point is that, once your threat and risk assessment finds the holes in your security, you need a policy to keep those holes plugged. "Now that you know what your risks are, you can tell your employees," Shields says. "You might have to hire a company to develop your policy, but it's a low-bucks proposition."
Know the ins and outs: The best security rests on a clear understanding of how your systems work. Once the threat and risk assessment has established how, and by what agency your network can be compromised, organizations have to embark on an ongoing voyage of self-discovery. One of the biggest security secrets -- and it is a secret because it's not explicitly about security -- is that you need to have a clear understanding of and the tools to continue to understand the mechanisms of communication in and out of the enterprise.
"Whenever a new mechanism, like voice over IP (VoIP) or instant messaging, that becomes a vector of attack," Shields says. "VoIP hasn't been highly exploited because it doesn't have a lot of critical mass yet. On the other hand, you can't just say 'I don't have to worry about VoIP security because I haven't deployed it' because that doesn't account for the employee who has downloaded the Skype client."
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
