By CHAIM YUDKOWSKY, CPA, CITP, president of Byte of Success Inc. (Published Feb. 2, 2004)

"The worst the bad can do is make us doubt the good." Jacinto Benavente, Spanish dramatist.

Since that tragic day on September 11, 2001, much has changed about the way we think about security. The most spectacular manifestation of this can be seen at the checkpoints of our airports. At all costs, we are being protected from even the most remote possibility of a hijacking or worst through a variety of strategies that include arming pilots, putting more air marshals in the air, and even grounding planes with questionable passengers on the passenger list. Now, even the plans of grading passengers and their possible threat profile have returned as a likely future in air travel.

The procedures at the checkpoints have led to an outrage. Frail and sometimes disabled seniors are sometimes frisked and suspiciously handled on their way through these checkpoints. Our common sense of decency, respect for our elders, and pragmatism about the profile of a would-be terrorist is insulted by witnessing this humiliating process of preparing our seniors for transport. Some would have us believe that for the sake of propriety, we should institutionalize the less attentiveness to seniors. Would this undermine or strengthen our air security?

In IT, we are experiencing confusion and paranoia similar to that of homeland security. The hacker, the denial of service attack, the virus, and even the industrial spy is lurking around every virtual corner anxious to pounce, damage our data, or glean our confidential information. Thus, developing a security mindset and methodology that has stability and is not subject to regular disruptions of process has become increasingly more difficult to design and implement in the digital world.

Systematic vulnerabilities and boardroom paranoia have become the strange bedfellows demanding that IT invest untold dollars and resources responding to the phantom possible threats. Management sensitivity to increase return on investment (ROI) in every IT initiative goes out the window where data security is concerned. Our IT strategies now include strategies to immediately react to the latest identified threats. Exacerbating this challenge is that the list of vulnerabilities continues to grow. Just when an organization has insulated itself from one, another becomes prominent.

There is another and more reasoned way to approaching security, according to Peter Tippett Ph.D., founder and CTO of TruSecure (TruSecure.com). His approach is one of risk management, not dissimilar to the risk management that a company adopts for other organizational risks. Based on experience, empirical, and statistical evidence, Dr. Tippett suggests the following points in defining an IT risk strategy.

· Ban the use of the word vulnerability. When we focus on reducing risk, looking for any vulnerability will undermine our efforts. This is because we associate vulnerability with eradication of a risk, not a more realistic reduction. To demonstrate this concept, Tippett suggests those using a seatbelt are still vulnerable since it does not work 100% of the time; still the seatbelt as just one layer of risk mitigation reduces the likelihood of death by 55-60%.
· Create and use checklists. Checklists impose the discipline and organization to make sure that steps are not missed or forgotten. Often, the worst problems surface because an update was made or new equipment was installed and processes were forgotten. Tippett, a pilot, says that checklists alone have made air travel safer tenfold over the last 60 years.
· Choose the five percent that you need to worry about, not the 100% of the problem. To do this, you need risk intelligence. This helps us not react to every advisory and warning Microsoft, virus, and firewall vendors may send us.
· Address the responses that are cheap. Tippett gives a few examples. Renaming all of the CMD.exe files on Windows computers to something else reduces the likelihood of the dreaded buffer overflow attack by 80%. Default deny most attachments; fewer than .5% of networks are set up this way. Set the border router to default deny mode; only 8% of companies surveyed by TruSecure are set up this way. In each example, there is no new software or hardware cost for this one time configuration change, but the cumulative risk reduction is significant.
· Know why you want good IT security. Granted that the unexpected and planned for is inconvenient for IT and may even interfere with the IT budget, but the real reason why this is important is "to run our businesses faster." Why do NASCAR cars have great brakes? Why is new brake technology so important? The drivers want to drive faster. You cannot drive faster if you are afraid that you will not be able to stop on a dime.

What is the goal? The goal is to minimize the frequency of patching to once per year, especially for organizations with many computers and devices. As part of continuing risk research, TruSecure has defined a model for calculating IT risk that applies to 98% of instances. In an upcoming column, we will look at this model.

Jacinto Benavente's words have been updated by Dr. Tippett. "We wind up fixing things that we don't need to fix." Now we can be fast!

CHAIM YUDKOWSKY, CPA, CITP, is president of Byte of Success Inc., a technology consulting company specializing in helping small and mid-size business grow using technology. cyudkowsky@byteofsuccess.com

Back to top
Current Digitalharboronline Columns Page