Security professionals work in an ever-changing environment where a primary goal is always to be one step ahead of those who might seek to harm the assets and resources they seek to protect.  It is an uphill battle that never ceases and that fundamentally requires planning as well as a multitude of resources – both human and technical. 

At the technical level, security professionals seek to deploy and manage automated systems that through heuristics, known signatures, and specific rules help to protect infrastructure components.  Much of this technology can be expensive to acquire and maintain, however many executive managers have come to the realization that in this technology age of today, investment in security technologies  is part of the cost of doing business.

Accompanying the implementation of automated security solutions comes the requirement (and subsequent cost) of supporting those systems on a daily basis.  This means staff to perform duties like firewall management, audit log review, public key infrastructure management and sustainment, etc.  These folks are responsible for ensuring that the technological solutions in place to protect the company’s assets remain up to date and as comprehensibly functional as possible.  They must have a complete understanding of the infrastructure they are protecting and they must stay on top of the ever changing arena of information security. 

Outside of staff requirements to support automated security investments are those attempting to help mitigate vulnerabilities and risk that cannot be addressed through technical means.  Unfortunately it is tougher to sell executive management on this sort of security investment, because typical mitigation practices on this front include the development of policy and standard operating procedure, training, certification and accreditation, etc.  Part of the reason for this tougher buy-in from executive management is due to the inability to truly assess the return on investment.  With technical solutions, it is easy to see how many viruses were quarantined or how many intruders were stopped at the firewall or the number of packets dropped by the host-based intrusion prevention system.  Those sorts of details are quantifiable and can be presented to management in ways that they can easily comprehend.

How does one talk about the effectiveness of a policy or of certification and accreditation?  Quantifiable results geared toward justifying the investment in these sorts of strategies are attainable, but at a much slower rate than those of a technical nature.  The fact that they are not easily quantifiable or even that they may inhibit some areas of operation does not mean they should be negated or dismissed altogether.

Forward planning through standard operating procedure, policy implementation, awareness and training are all fundamental components of any information assurance or security platform.  Enterprises have to be capable of protecting their assets when technical measures fail.  Management has to realize that threats no longer dominate from outside of the environment, but rather from within.  They have to understand that there are very few technical mechanisms to mitigate the human element of the security equation.

Implementing policy and standard operating procedure not only displays movement towards due diligence, but it also embraces a proactive operational mentality that will inevitably help an organization pull through tough times.  Every security practitioner knows that no enterprise or organization can ever be one hundred percent secure.  Given this fact, it is only a matter of time before an incident or compromise occurs.  Contingency planning, incident response, and other key areas of information assurance can all be planned for and can all help to preserve the operations of the company in times of desperate need.

Organizations that refuse to make the investment in preplanning for future events that are capable of bringing operations to its knees are at the mercy of the technology they employ.  Choosing to believe that they are not a target or that their organization is too small to be concerned with these sorts of policy-based or procedural activities leaves little room for rebound if and when an incident occurs.