Vandalism, fraud and cyber terrorism: this year again, security will be high on the list of fears that keep CIOs awake at night. Newspapers will be filled with frightening cybercrime stories. Hassan Maad, COO of Evidian, applies the 80/20 rule.

Once again, CFOs will authorise large investments. And, in spite of all the alarms, too many enterprises will be the victims of deadly identity theft, data destruction and corporate espionage.

Is the security field condemned to catastrophe? Of course, it is a complex domain. Technology evolutions make protection a never-ending race between weapons and shields. However, on-the-field experience shows that three factors play a large role in keeping the cybercrime figures unreasonably high:

  • Myth persistence. For years, studies have demonstrated that most attacks come from insiders and disgruntled employees. Yet most enterprises continue to focus primarily on perimeter security. Never forget that attention must shift from 'who has access to the network' to the definition and control of 'who has the right to access what application'.
  • Too much focus on hype. Security news stories are filled with discussions on emerging technologies such as web services security or federation. These are great solutions. But never forget that more than 70 per cent of enterprises applications are not even 'webised' yet.
  • Complexity. Information systems are multi-layered structures with heterogeneous components inherited from the past. As a result, CIOs have to balance between the patchs of multiple point solutions and the dream of deploying global security systems that never come to reality. Never forget that adding complexity to complexity can make security a daily nightmare for all.

The results? Heavy investments. A lot of effort. And situations that do not always fit with the simple objective: optimise the balance between risks and costs.

Must CIOs and CSOs resign? Are they condemned to watch this situation repeat, helplessly?

Three main principles are key to mitigating these risks:

  1. Focus on basics: in security more than any other subject, the better can be an enemy of the good. Before looking at the latest publicised risks, it is vital to prioritise real threats. In this matter, beyond network security, identity and access management is increasingly becoming a foundation for true security: Define and provision who has the right to do what. Verify that everyone is who they claim to be with strong authentication. Control and audit access for compliance. These foundations, if applied from client-server to web, can solve many of the security troubles.
  2. Insist on usability: CSOs know only too well that writing security policy is the easy part. The trouble comes when you try to enforce it. Remember that the users’ priority is not to think about security, but to get their job done! As a result, security procedures and solutions that are complicated to apply are likely to be bypassed! The only answer: deploy security solutions that are as non-intrusive as possible, and that include user-centric SSO. By improving the usability, this will ease user acceptance, and therefore smooth the path to applied security!
  3. Build step by step: Think big. Start small. The old adage is more than ever true in security. While budgets are constrained, and technologies are in constant evolution, do not get lost in never ending projects. They may just add complexity before bringing any value and safety. Think about building protections one step at a time, from the core to more advanced functions.

Are these three principles a passport to absolute safety? Zero risk doesn't exist. But they definitively help CIOs, CSOs and users to focus on core safety.

That doesn't mean that IT managers must not keep an eye on the threats and technologies of tomorrow. But, in security more than anything else, it is easy to lose sight of priorities. As in other domains, 20 per cent of effort can solve 80 per cent of the risks. The point is to focus on the good 20 per cent!