Some Things Every CEO or CFO Needs to Know about IT Security

By Chris Gray ·

As a security professional, I often receive questions from customers regarding why applications or classes of applications should or should not be used in their enterprises. My response usually identifies a pair of criteria that I believe are critical in choosing enterprise-level solutions:

  1. There is truly a need for the application.  There must be an honest business need for the application. If not, organizations should seriously question the decision to use it. This must be carefully considered as every application chosen to support an enterprise-level need increases the overhead of an organization’s IT staff in terms of security and management responsibilities.  Many things are “nice to have,” but, at the end of the day, they simply decrease an organization’s security posture and tax already stressed resources.
  2. The application can be thoroughly supported by the vendor or with available third-party resources.  Before using an application, the organization should determine how well they can support that application. It’s not wise to tie the success of an enterprise to an application that is overly difficult to manage or maintain. If the application does not have active vulnerability discovery and remediation support, requires management and support overhead that the organization cannot supply, relies on program or system support that negatively impacts the organizations business continuity management program, or contains areas of management and/or security vulnerabilities that cannot be sufficiently addressed using available native or third-party solutions, then the use of the application is likely not a good choice. Too often, we become fascinated with the shiny new car and forget to consider if we have the ability and money required to keep the car running.

Examples of applications that companies should be concerned about include social media and older legacy applications.  These show both ends of the software spectrum – the new and the old.  Both, however, have concerns that must be addressed before they are allowed into the enterprise.

Social media is a rapidly expanding area, and, in many cases, these applications can definitely have legitimate business uses.  However, organizations should consider the dangerous concerns that social networking applications present concerning unauthorized data loss, loss of worker productivity, bandwidth and system resource consumption, and possible infection vectors for compromised code and malware.

Older, well-known applications are often used in favor of newer versions of the same systems.  Companies must consider that the cost savings made in not upgrading to newer versions may be offset by inherent security risks. Widely published and well-known security vulnerabilities contained in these programs can be easily compromised using tools openly proliferated across the Internet.  Also, the software may be at the end of its support lifecycle or tied to older hardware that is no longer easily available for replacement.  Older protocols and operating systems may have a legitimate business use, but, given the wide variety of more secure, supported, and commercially viable options available, the continued use of these products are likely more of a risk than benefit.

What litmus test does your organization use to determine whether or not to deploy a specific application in your environment?

Chris Gray

Vice President, Enterprise Security and Risk

Chris Gray is the vice president for Optiv's enterprise security and risk practice with over 15 years of experience in information technology, information security and information risk management. He leads the team in achieving customer requirements with implementing information security, risk management and compliance management programs.