Going into my second year as my company's security manager, I've been spending some time planning my next steps. When I started this job, I defined a three-year road map for the fledgling security program, to give it focus and to make sure the approach to solving my company's security problems covers the right areas. I've made it through the first year of the plan pretty much on track, despite changing business conditions and unexpected emergencies. The next year will be spent shoring up other areas of the network. Year 3 will be all about optimizing and filling in gaps, if all goes as planned.
This year we made a lot of progress. I started out with metrics, measuring key performance indicators to show our execs where the hot spots are in terms of business risks, and what progress we are making on our priorities (how their investment in security is paying off). I also published numerous policies and procedures to give our security program a solid foundation. On the technology side, I started first by locking down our endpoints. My current employer understands the importance of security, so I encountered no resistance in establishing a patching program. Our servers and workstations are now being patched on a timely basis, and I'm very pleased about that, since it was always a real challenge at other companies I've worked for. Our workstations are now also protected with whole-disk encryption and USB device control software.
We also had quite a few distractions that took my focus away from the strategic plan. A surprise corporate merger required a lot of planning and effort, a proliferation of software-as-a-service contracts necessitated security reviews of third parties, and numerous virus outbreaks plagued my network. But a security program should be adaptable and able to respond to changing conditions. As a result of these various emergencies, we have grown stronger. I've replaced our antivirus software with one that performs better for us, established processes for future mergers and acquisitions as well as for SaaS relationships and outsourcing, and even managed to implement single sign-on for SaaS and internal applications as part of one of our projects. So thanks to unexpected developments, we are actually ahead of our security plan.
My areas of focus for next year will include our network and mobile devices. I recently wrote about my company's experience with phone fraud and the expensive bill that resulted, and several readers responded with suggestions - thank you. I'll include taking a look at the technologies that are available to combat this threat in my plan for next year. In a recent column, my Security Manager's Journal counterpart Mathias Thurman wrote about the challenge of iPads on the corporate network, and I've been looking at that as well. I'm planning to deploy software that creates a "secure container" in the iPad as well as other mobile devices, so corporate data and applications are kept separated from personal ones on a variety of mobile devices. Replacing my legacy IPSEC VPN with SSL VPN is also going to be a priority, and that should also help with reducing network threats from endpoint devices. And, intrusion detection is a must, along with Data Loss Prevention (DLP) to protect our intellectual property.
Our 2011 budget is not finalized yet, but I'm optimistic that my 2011 initiatives will get funded. I'm looking forward to a new year of challenges and opportunities as my security program moves forward on its path.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
This story, "Assessing the IT Plan for the New Year" was originally published by Computerworld.