As a result, we’re seeing enterprises turn to IT consulting and system integration firms for advice on how to get the most out of their security budget. By planning ahead and aiming to enhance operational efficiencies, organizations can prioritize expenditures and implement programs to increase their security posture.

I’ve been asked on numerous occasions to provide advice on the one thing organizations can do to improve security. While improvements to security are no doubt multi-pronged, my best one-item recommendation is for organizations to build a strong security program and risk management strategy.  This program would have multiple elements including strong governance, an oversight committee and a well-executed educational program.  In addition, the security management program should be mapped to best practice standards like ISO 27001 and contain embedded procedures for ensuring security is built into the fabric of IT.

In addition to that one major recommendation, in times of strapped resources and scrutinized expenditures, organizations should prioritize their budgets so as to best do the following:

Understand and protect against risk
According to Warren Shiau, lead analyst, IT Research with The Strategic Counsel in Toronto, an important rule of thumb is that technology is applied to automate processes, and that if you apply technology to broken processes for security you don't accomplish much. It's crucial to understand things before you get into applying technology — including what risks you're facing and the sources of those risks in your processes — and then map out how you will use technology to help mitigate risk.

As always, proactive (rather than reactive) security strategies are preferred, and it’s recommended that organizations adopt a tiered protect/detect/respond strategy for optimal coverage. A vulnerability assessment can give senior executives a view of their company’s information security risk profile — complete with red flags, recommendations for remediation and budgetary priorities. In addition, risk and vulnerability management solutions can help eliminate network exposures, provide up-to-date endpoint and network intelligence and help drill down on root cause issues.

Consolidate to gain operational efficiencies
Good news first: The majority of organizations that have implemented defense in depth, layered security with risk management strategies have a lot of the elements necessary to improve their security posture. However, the downside is that processes and people still remain one of weakest links in security improvement.

Misconfiguration and poor implementations have paved the way for vulnerable systems that could be compromised or breached. To help create an adaptive and secure infrastructure — able to withstand both external and internal threats — organizations should look to provide operational efficiencies by consolidating and simplifying their security management systems. This gain in efficiencies, along with an inherent knowledge of operational aspects of management, helps reduce the risk that people play in system management — simultaneously maximizing skills and resources to save money in the long-term.

Utilize endpoint security
While companies have beefed up network security over the years, endpoints like mobile PDAs, BlackBerries, remote or unmanaged desktops connecting to corporate networks, small form factor devices and laptops can still pose security threats (not to mention threats of lost intellectual property due to loss or theft). Consequently, organizations should plan a program to address data protection including device encryption, host-based security and data loss prevention to protect intellectual property.

Implement network access control
Network Access Control (NAC) enforces endpoint security policies by setting a baseline of who’s allowed on the corporate network, as well as what services they are allowed to access. Contractors, guests, non-compliant devices and infected systems can be identified and then granted or denied permission based on corporate policy. For example, a guest on the network may be allowed guest access to the Internet only, quarantined for remediation or blocked entirely. A layered defense approach factors in port-based security and corporate baseline policies in conjunction with system and network based protection.  

A final piece of advice from Shiau addresses a security trend his firm has been seeing. Many businesses still associate the term “security threat” strictly with viruses, he explains, but what he's actually seen over the past several years is a threat shift toward internal breaches, encompassing both planned criminal/illegal activity and inadvertent data/information loss.

A large number of the highly-publicized data/information losses over the past few years have boiled down to lax control, policy and operating procedures. Processes and people do not naturally gravitate toward secure behaviour — they gravitate toward getting their work done or doing whatever's most convenient. For that reason, policy and enforcement are absolutely critical aspects of security, he says.

With the following guidelines in mind, companies can steer IT spending — and get in the fast-lane toward a more flexible, adaptive and holistic security strategy.

Darryl Wilson is the Regional Practice Director for Dimension Data Canada.