There is ongoing recognition of the importance of IT security in the business world, but this has all too often been combined with a perception of complexity. Thus, many organisations have implemented IT security without a real understanding of what is being done. IT security is crucial for the well-being of any organisation connected to the outside world, be it giving customers the option of e-mail contact, through to opening up networks to partners and suppliers.
Most companies today connect to the biggest network of all - the Internet - in order to go about their daily business. The latter two words are key: 'daily business'. Any implemented IT security must not prevent an organisation from conducting its business efficiently, effectively, and achieving the objectives of the business (for example, making a profit). To this end IT security becomes a balancing act with the daily processes operated by the business. Implementing a firewall and closing down all access to the Internet will result in an organisation's network being extremely secure, but if the Marketing Department cannot conduct its research into competitors using the Internet, then the organisation's efficiency is damaged.
Following on from this, IT security should not be implemented in a haphazard nature. Of course most organisations would deny that this happens, but certainly some companies have had a knee-jerk reaction to the hype put about by both the press and IT security vendors alike, and have purchased firewalls, Anti-Virus (AV) solutions, and Intrusion Detection Systems (IDSs) because they think they should. There are a number of crucial points that have resulted from our research for this Report, one of which is that an IT security solution that suits one company does not necessarily suit another. In other words it is not a one-size-fits-all scenario and any snap-decision purchase of IT security stands a good chance of not achieving what it was purchased for.
A roadmap for the implementation of IT security is required in order to commit to the layered defence recommended by Butler Group. No single product can be purchased with the expectation that it will protect the enterprise from attack - multiple solutions are required in order to put up as many barriers as possible to deter intruders. Although no network can ever be realistically described as impenetrable, there are steps to be taken that might encourage a would-be hacker to move on to an easier target - IT security should ensure that your network is not the easy target.
The business aspect of 'securing the enterprise' - that is, doing everything possible to prevent an organisation's IT resources from being compromised - is equally as important as the technology chosen to do the job. The primary business aspect discussed in this Report is the creation and application of an IT security policy. Any enterprise, irrespective of size, should have a security policy in place, with someone at board-level or senior management level responsible for its execution. The technology deployed will then reflect that security policy. It is important to be aware that the security policy must continually evolve in response to the developing business as well as updated security threats.