[This is based on the keynote address I delivered on 29 May 2002 at the "e-Security Conference and Expo."]
In the beginning was ARPA who, with the help of US tax dollars and lots of smart folks at universities and labs, gave birth to ARPAnet. On ARPAnet, everybody knew everybody else. (And sometimes you want to go where everybody knows your name.) A few years later, corporations saw the potential, started connecting to the Internet, and the need for Internet security was born. Back then security was the job of the local security guru. Back then senior management rarely gave security a thought. Today, as it should have been back then, security must be a priority of an organization's senior management as well.
There are many reasons.
If an organization makes use of, gathers, or stores any kind of personal (private) information, management has to understand the related risks. What is the threat of theft of private data as it flows over the Internet? Nearly zero. What is the threat on the inside (local) network? It is greater than zero. How about the threat of theft of private information from a bug-ridden web site? It depends.
That answer, "it depends," is the second most important answer in the security realm (the first being, "I don't know.") In this case, it depends on how secure your servers are. For many people, "not very."
You also need to figure out what the event-cost will be. First, what it will cost your company directly? But then you also have to consider the cost to the individual. The individual risks identity theft, which is a growing problem. This links back to the company in lawsuits (personal and class action), lost trust, etc. So, it can cost you your business. It can cost someone else his life, at least in some sense. Columnist Eileen Ambrose writes in the May 19, 2002, *Baltimore Sun*," On average it takes a victim 18 months to clear up an identity theft case and $1,100 in out-of-pocket expenses...." Businesses must protect the privacy of Internet customers for all s orts of related reasons, including the most obvious one: it is the right thing to do. (See "The Golden Rule" as related in the Bible, Matthew 23:39.)
In a Computerworld column on May 28, 2001, "Data Privacy Issues Key to Global Business, Panel Says," Kathleen Melymuka wrote, "Companies interested in doing business globally must take data privacy issues very seriously because even one slip-up could be devastating to their corporate images…"
There is nothing new here. On the technology side, nothing much has changed in the past 10 years. You use firewalls to control access. Web and application servers must be properly configured and maintained, with all relevant security patches applied. (Note to senior management: these devices need knowledgeable people to support them.)
You also need to plan. I've written about this before (see references below). Any technology must be under-girded with policy and procedures. And senior management must back them up. Security is not optional; it never was, but we got away with treating it as optional in the past. If you get this wrong, your business could be destroyed. Someone's life could also be wrecked.
In a class I teach, I go through something called "The Top 10 Administration Mistakes," and 5 to 7 of them touch on senior management. All can be fixed if management is willing.
In 2001, someone posted this to the "firewall-wizards" mailing list:
Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be appreciated!
I posted the following reply,
Can anyone out there help me learn to drive an 18 wheeler? I was hired to do this, and I have a truck supplied by my company. I have a driver's license for an automobile, but I've never driven a big rig before, nor have I had any training in one. It is very important to my company that I get this right, and I have to start a cross-country run on Wednesday. Any help you other drivers can offer in your spare time as you pass through will be greatly appreciated.
With growth in business use of the Internet, computer and network security is no longer an after-thought. Still, today, many organizations think that it is mostly the job of the security professional. While "security is everybody's business," is a fine slogan, from a business perspective, it is the job of senior management to support it as well as they support sales, marketing, or other areas. Supporting security is an obligation for any company or government agency doing business on the Internet
There is a new column on my web page, previously published for WatchGuard Technologies. "Using Your Firebox's Optional Interface," ( http://www.avolio.com/columns/OptionalInterface.html) is Firebox-specific, but useful for anyone who is thinking of putting in a DMZ (service network).
I will be speaking at CSI's "NetSec 2002" conference in San Francisco the week of June 16. Please see http://www.avolio.com/calendar.html for details and descriptions. See http://www.gocsi.com/ to get a catalog. And please stop by and say hello.
Previous writing about security planning:
I recommend the May 15, 2002 CRYPTO-GRAM ( http://www.counterpane.com/crypto-gram.html) for a good discussion about "Secrecy, Security, and Obscurity."
News articles about identity theft: