I did a lot of consulting work some years ago for a true entrepreneur who had started his own successful company from scratch. He and his wife started by working from their garage, they then moved to a small office and grew steadily until he ultimately had two office buildings, a large warehouse and more than 150 employees to support the company. He often yearned for the days when they worked in the garage and everyone knew what everyone else was doing because of sheer proximity. He had an expression that he liked to use when we were troubleshooting a business problem, "We have to make the invisible, visible". In a sense, this is what computer security is all about -- making visible what is often invisible. That said, the person or persons in your company who are responsible for security are those who will need to get this done. So, who is responsible for security in your shop? Do you know? Is it clear?
Too often, in my travels, I find that computer security is an afterthought or just a pain in the neck issue that has to be dealt with because the operating system seems to require it. If this is the case in your shop, then most likely no one is responsible for security. This is definitely a bad situation and should be a big red flag for management. If people at your shop can make the claim that everyone talks about security but no one ever does anything about it, then you need to take action now.
There are several different models that you can adopt that can work for your installation. A lot depends on the resources your company is willing to invest and the level of importance that computer security has in the eyes of management.
Most shops have computer security responsibility residing squarely on the shoulders of the IT director and this can work very well. Depending on the size of your shop, the Director (or whatever the favorite title-due-jour is these days, when I started my career it was the DP manager) can either take personal management of security or delegate to a security officer. If properly implemented, this can work very well. The only issues here are that IT can sometimes be very short sighted when taking user community needs and requirements into account.
Some directors will delegate security responsibilities across the entire IT staff choosing personal direction of the task. The key here is having a strong manager who is ultimately responsible -- either embodied in the IT director or in their designated security officer.
Spreading security responsibilities over a large number of people can have the effect of focusing a lot of people on very small areas (i.e.: individual applications) with no one taking responsibility for the big picture issues. Such things as system backup, offsite storage, disaster recovery, DR testing and more need to have a strong manager in charge who can develop and implement the plans needed to keep all of these important security tasks current and fresh. In a complex System i LPAR environment, this can be even more daunting where multiple systems operating within a single box need attention. If you do choose to spread security responsibilities around, you should assign specific global areas to specific individuals. This will help to make the invisible visible, as my old friend often advised.
The real secret that my friend found to make visible that which is invisible is to establish accountability. If someone is personally accountable for something, it will either get done or the person will be replaced.
If you have specific questions about this topic, email me at rich@kisco.com. All email messages will be answered.
---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
