Giving IT Your All

For one, the government is relying on the VAR community to provide state-of-the-art security solutions, a daunting responsibility. As a community at large, VARs attack the problem by providing hardware and software as a solution. And while these are the main ingredients, technology-based solutions alone are inadequate. The threats our nation faces are multisourced and, therefore, the deterrents and complete solution provided must be all-encompassing. In fact, addressing the information-security needs of government clients is more than integrating and configuring effective combinations of hardware and software solutions. It's also about mitigating threat, risk and loss by preventing problems before they even occur. These kinds of results will not only achieve improved ROI through decreased incidents and support costs, they'll also result in high levels of customer satisfaction.

Information security relies on an integrated and layered approach and includes both human and technical elements. Remember, no matter how good the security technology is, the human element can render it compromised. So, who is this human element? It could be the gamer in high school looking for a way to transfer funds for private fun. It could be the elementary school whiz-kid learning how to hack. Or it could be the cyberterrorist, not looking to hack or steal, but rather to destroy.

Information security is a moving target. The mantra, "You are only as secure as your weakest link," is true in both physical and technical forms of security. One needs to design security while looking at the full spectrum of the threats and risks to the client, along with the losses that client could sustain.

IT is often the problem as well as the solution. And to best assist your clients, you need first to accept and embrace the premise that IT is often the conduit through which loss occurs. Frequently, IT is used to secure information and information systems without building in the benefit of additional risk-management expertise to determine what data and/or facilities are at risk and the value of each.

Quantifying the value allows you to project loss, as well as savings, and from that you can begin to determine what levels of security to assign to each item at risk. Note how quickly this moves from technical solutions to business-based solutions first and foremost. Government processes and personnel demand ROI. With risk-management calculations, a VAR can better assist clients in selecting and installing the right solutions that also diminish risk in a cost-effective manner.

PREVENTION VS. RESPONSE VS. RESTORATION
At what level are you addressing your clients' security needs? You cannot deliver a complete solution without assessing how to combine the following three areas: Prevention vs. Response vs. Restoration.

Prevention is associated with pre-incident activities. Response is associated with real-time incident activities. Restoration is associated with post-incident activities. Now, consider these three states in conjunction with the following three security objectives for information and information systems, according to the Federal Information Processing Standard (FIPS) Publication 199 as issued by the National Institute of Standards and Technology (NIST):

• Confidentiality: A loss of confidentiality is the unauthorized disclosure of information.
• Integrity: A loss of integrity is the unauthorized modification or destruction of information.
• Availability: A loss of availability is the disruption of access to or use of information or an information system.

Confidentiality, integrity and, possibly most important, availability must have a three-pronged solution, including a plan for pre-incident, real-time incident and post-incident activities. The client's solution must include an individualized, effective matrix for these items, which can be used to prioritize threats and risk, as well as to value loss. Security plans generally have a detailed response and restoration plan, but many do not address prevention.

PREVENTING THE INCIDENT, NOT FIXING IT
In the realm of professional services, the solution-provider community currently places a tremendous amount of emphasis on fixing a problem after an incident has already occurred. For instance, selling extended warranty or maintenance contracts, which is a prime example of reactive selling, is a key sales initiative and considered to be a prime profit center for VARs.

Approaching security from a reactive state, however, leaves a deficit for the solution provider to fill, both financially and technically, because downtime is necessary to fix the problem. The government considers availability a key element to system security, and downtime is just not an option for a truly secure environment.

With this in mind, it is more cost-effective, both for the client and for the solution provider, to prevent an incident from occurring than it is to react to a problem, while creating a highly available secure environment. VARs can offer risk-management services through site and system analysis—identifying areas where risk can be mitigated. The client can then achieve cost savings, a more secure environment and higher system availability.

In order to achieve problem prevention, a detailed analysis of the existing environment must be performed. It's critical to consider the mix of technical, physical and human security elements for both reactive and proactive activities. Through the right mix of well-defined processes, well-trained people and the proper products, risks will be mitigated to the maximum point of prevention. That is truly the value government customers are looking for.

The question then becomes, how can we help our customer with the three Ps: process, people and products? The answer is to engage a VAR who has risk-management expertise, which involves analyzing the client's environment and identifying assets, both tangible and intangible; measuring the potential risk areas; mitigating risk by educating people and engaging the right product mix, ensuring processes are established to sustain the environment; and maintaining ongoing risk assessment of assets to ensure optimal performance.

Ultimately, the customer will realize a reduction in costs, improved security and higher availability.

Mardi Norman ([email protected]) is president and CEO of Dynamic Systems, an IT solution provider to the government and education sectors.