Effective Security means doing more with less risk
Information security is going through a major change. There are those who are ahead of the curve of mainstream adoption and of course there are those who have unique highly regulated environments who may struggle to adapt. Developers and IT Professionals are waking up to the need to enable more with less risk by using technology to define what SHOULD BE ALLOWED and by default blocking all other activity. Effective security is a term I've coined for this liberated approach. As individuals, charities and businesses we’re able to take advantage of access to accurate information upon which to make better decisions. Technology is a powerful tool which if correctly applied can make life both at work and at home easier, more productive and more fun.
Effective security is about people, process AND technology. Too many people start with the "Rocket science". Sure there are plenty of interesting technologies in this space though they're useless unless they're appropriately deployed, managed and maintained.
Modern software development platforms such as .net provide the means to formally model the intended flow of information from process to process, validate input and specify trust boundaries. We can define how components share information and authenticate each other’s identity and that of the subject be they a user or system. In adopting these approaches we are able to significantly reduce the scope for attackers to compromise our code.
Windows Vista, Longhorn Server and Windows Mobile provide comparable controls and default behaviours to make life much safer and easier for users and administrators. The operating system platforms have embraced the principle of least privilege, native data encryption and central control. We can centrally manage the vast array of security features to ensure that only trusted code and authenticated users are able to access systems and information.
To be effective you need to clearly define what you want to happen, understand the consequences of failure and decide the appropriate balance between control and access. Your Information Security Policy document should encapsulate these considerations. Your top level leadership team must make the security risk decisions and take ownership just as they do for other areas of business.
Make sure that EVERYONE in the organisation understands their responsibility for keeping sensitive information secure. This shouldn't be an onorous task. Complicated policies that regular users can't understand are nonesense. They should be short, simple and common sense. Defining simple steps that users can take is the way to go. Tell them IN THEIR TERMS what YOU WANT TO HAPPEN. If they can't relate to WHY you need them to do something then THEY WON'T DO IT - unless they're super keen and aren't busy enough!
Effective security enables you to do more with less risk.