Symantec CIO Mark Egan on the Essential Components of a Successful Information Security Program

Mark Egan clues in security directors on how to view corporate information security

4. Metrics Are in Place to Manage the Program. Improvement requires measurement-a way to gauge progress. And quantitative metrics typically enable more meaningful evaluations than do qualitative measures.

The first step in setting metrics is to carefully assess the current security status of the organization, then establish clear goals for future improvement. Benchmarking with similar companies can make it easier, especially for security conscious industries such as financial services that are charged with meeting very stringent criteria for demonstrating compliance.

5. The Information Security Program Is Ongoing. Security is not a destination but a journey. Its lifecycle is a continuous round of measurement, improvement, and management. What's more, the activities within this lifecycle must enable both reactive and proactive response to a rapidly changing Internet threat landscape. Consequently, an effective information security program is not static but adapts to changes both in business needs and security challenges.

6. The Program Is Independently Reviewed. Just as independent financial audits are a sound business practice, an independent information security audit is an invaluable opportunity to have security professionals validate a corporate security program and offer recommendations for improvement. Moreover, regular reviews can uncover trends and, in turn, help identify areas that need additional attention or areas that show noticeable progress.

Also, the findings of a third-party audit are appropriate for review by executive staff, IT personnel, and others responsible for problem resolution. After all, the charge to guard the security of information assets is not just applicable to IT but to every employee of the company.

7. Security Is Layered. It's no longer enough to simply protect the gateway, or the desktop, or the server. The arrival of blended threats changed all that. Blended threats use multiple methods and techniques to spread, and often combine the characteristics of different types of malicious code with the ability to exploit software vulnerabilities.

Because a blended threat attacks more than one component of the computing infrastructure, it can only be defended against by deploying multiple security solutions throughout the network. These include antivirus, firewall, intrusion detection and protection, and content filtering at the gateway, server, and desktop, including the mobile client.

8. The Computing Environment Is Divided into Zones. A typical enterprise is comprised of four zones: the Internet; the extranet, which customers and partners access; the intranet, which is used by employees; and the mission-critical zone, which is reserved for mission-critical applications and limited employee access. An effective information security program ensures that each zone is separated by a firewall that restricts access.

By identifying these zones and keeping them separate, organizations have defined areas for deploying relevant levels of security and information access, with increasing levels of security and associated technology deployed at each successive zone.

9. The Program Is Built on the Basics. Rome wasn't built overnight, and neither is an effective information security program. In fact, many information security programs can take years to implement. Consequently, it is better to start with a solid, basic foundation such as a firewall and antivirus and add technologies as needed than to overlook the fundamentals in favor of more advanced solutions.

To that end, forming a technology roadmap upfront will not only ensure that the correct technology is being implemented at the appropriate time but also that the technologies being deployed achieve the desired results.

10. Information Security Is Considered an Essential Investment. Competition for resources is fierce in today's do-more-with-less operational environment. And information security comes at a significant cost. But lack of security can be even more costly.