Get Pricing For SunView Solutions

Review platform features & packaging to decide what best meets your needs.

IT Service Management

ChangeGear is an industry-leading ITSM platform that helps organizations to better track, manage, and deliver critical services.
Get Pricing

IT Operations Management

LivePulse offers out-of-the-box system and application monitoring essentials in the cloud.

Get Pricing

Building Security into an IT Organization (Security Series - Part 1)

06/29/2011 by: The SunView Team

Given the daily reports of hacker attacks on organizations, it is not hard to believe that 90% of companies have been victims. Recent reports tell of hacks on organizations we would all like to believe have their act together, like the U.S. Senate, Lockheed Martin, and the IMF. Meanwhile, the recent attacks on Sony's PlayStation Network demonstrate how relatively easy it is for cyber thugs to cost a corporation hundreds of millions of dollars in expenses and lost revenue-not to mention the loss of customer trust.

Not only is the frequency and impact of such attacks increasing, but the sophistication is also increasing. Hackers are reportedly going at the heart of internet security by getting forged certificates (as was done in Stuxnet) and apparently attempting to steal the seed values used in RSA's SecurID tokens. It has been reported that there are hired-guns working in developing countries to find zero day threats-those paying will exploit rather than report these threats.

Millions have been spent on technology like firewalls and intrusion detection. These tools and technologies are clearly vital, especially in terms of the alarms they can generate and the forensics they produce (if you can afford to sift through the noise they generate). Meanwhile, evidence shows these tools alone obviously aren't the answer. In the case of Sony, the attacks likely progressed over months, and once detected, it reportedly took days to realize the extent. If these tools aren't the answer, what is? My conclusion is that IT has to learn the same lesson the software industry has learned-security can't be tacked on, rather it must be built in. IT can apply the same lessons learned by the software industry, but the problem for IT as a whole is different, requiring a different solutions. However, the common thread is the need to build in security.
Allow me to make the case that security has to be part of an organization's DNA and ITIL offers a framework for helping build in security to an organization. Building in security sounds like a great slogan, but how to make it happen and why use ITIL? There is a strong analogy to building in quality through TQM (total quality management). Back in the ‘80s, before we in the US came to learn that quality can't be tacked on by the Quality Assurance Department, the focus was on the product (actual widgets). But then lessons learned out of necessity taught us that it was about the processes, people, and tools-quality had to be part of a manufacturer's DNA (back in the ‘80s I worked for a hardware vendor that manufactured robotic controls to the auto industry). Currently in IT we are making an analogous mistake: we try to "tack on" security with technology like firewalls and monitoring in a fashion similar to how manufacturers counted on their quality assurance department to ensure quality. It was W. Edward Deming that opened our eyes in manufacturing. As it turns out, one of Deming's main mantras is embraced by ITIL and its Security Management process-that is, the iterative plan-do-check-act (PDCA) cycle. As it turns out, Deming can help in IT security also.
This posting is the first in a series that will explain how ITIL's Processes help "build in" security into an organization. The next post will detail how each of the core sets of ITIL best practices contribute to improved security. A subsequent posting will shed more light on the ITIL Security Management process, itself.