Issue No.02 - March/April (2007 vol.9)
Published by the IEEE Computer Society
Wesley Chou , Cisco Systems
Linda Wilbanks , Nuclear Security Administration
Shawkang Wu , The Boeing Company
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MITP.2007.33
The best plan for an IT security system is to have a plan that the entire enterprise supports, and to follow it.
Managing cybersecurity boils down to a fundamental pair of questions: What is the risk of this type of attack for this source? And, is the cost of protecting from that attack greater than the cost of recovering from that attack?
When dealing with a cybersecurity budget, it is more important to determine the costs, benefits, and risks of a solution than it is to implement the latest cryptographic algorithms or technologies. Once business needs and costs are addressed, the task of administrating and implementing protective methods falls into place.
Of course, the nature of the business is a key factor in determining the level of cybersecurity required. An e-commerce company that depends heavily on accessibility to its public Web site will likely be most concerned with defending its Web servers from a denial-of-service attack. A less Internet-dependent operation, such as a hospital, might be less concerned with Web site protection and more concerned with the database security of patient information. Each enterprise will have its own set of criteria that dictate how to manage cybersecurity.
From this perspective, IT Professional presents its "Managing Cybersecurity" theme issue. The set of articles included here focus more on the operational viewpoint of managing cybersecurity and less on the technological innovations that continue to evolve and provide protective solutions. It is the principles of evaluating a system and managing this technology that remain a constant.
In "A Process-Based Approach to Handling Risks," authors Wayne Jones and Al Gallo tackle the first step in securing an IT environment: evaluating risk. With a methodical plan to identify vulnerabilities, you can determine the areas that need the most urgent attention. Once you have identified the focus areas, then you need to determine each solution's risks/rewards.
In "Cybersecurity Costs: Balancing Blanket Security with Real-World Practicality," Wesley Chou examines the trade-offs of various components used to protect an IT environment. Taking into account both the direct cost of a security solution, as well as the indirect cost of managing that solution, you must weigh the true return of investment (ROI) of any technology purchase and deployment.
Finally, as a technological case study, if you will, we examine Secure Sockets Layer's place in the cybersecurity realm in the article titled "The Role of SSL in Cybersecurity." As one of the many security protocols used today, Larry D. Bisel discusses which aspects of cybersecurity this common protocol can cover.
Also in this issue, IT Professional debuts its CIO Corner. In this first column, Linda Wilbanks discusses cybersecurity from the perspective of a federal CIO.
Our selection of articles in this theme issue is designed to provide guidelines for what an IT professional should be focused on when approaching the problem of cybersecurity. Strategies to protect systems from attacks are too often implemented as afterthoughts, rather than as part of the initial planning and design phase. By defining and following a set of guidelines with which to design an IT security plan, you can achieve the best ROI. We hope you enjoy this special issue of IT Professional.
Linda Wilbanks is CIO at the US National Nuclear Security Administration. Contact her at firstname.lastname@example.org.