The 5 'P's of Security and Compliance

I completely agree with the author. nowdays security is major concern for corporates. thus business organization should update their securities suites on regular basis so that latest malware or virus attacks can be prevented. 5 security ps elaborated above is very good technical stuff. regards.

I have the good fortune to be able to talk to a lot of different customers about their security and compliance efforts, and in the process I learn a lot about what works and what doesn't. I also have the benefit of over 27 years’ experience in the IT industry, which means I've seen (and yes, made) pretty much every kind of mistake that can happen. But the one thing that always strikes me the hardest is that we keep making the most basic mistake over and over again, and, as you would expect, the results are inevitably the same. The mistake I'm referring to is ignoring the 5 'P's - Proper Planning Prevents Poor Performance. A large number of people I talk to in the security industry admit that their security and compliance programs just kind of happen - they aren't planned.

I always like to use an analogy from my programming days when I talk about planning; it's something that anyone who's been in the IT business for more than a few years has inevitably encountered: The Application From Hell! Most of you already know what I'm talking about - it's the application that was originally created years ago as a small program to do one simple thing, then started growing over time. There was no overall planning involved - bits and pieces of new functionality were added as people identified new requirements, numerous programmers added their own flourishes as they saw fit, and the IT staff tries nobly but in vain to keep the whole mess running. There have been uncountable meetings and discussions over the years about ripping the whole thing out and starting over from scratch, but there never seems to be enough resources (or willpower) to actually do it. The result is an application that more or less does what people need it to do, has problems on an almost daily basis, and consumes a disproportionate amount of resources to keep running, but one which everyone claims the company can't keep running without. Sound familiar?

What I see all-too-frequently are security programs that mirror that kind of application. Security tools have been added over time, new and existing security functionality in applications has been enabled and utilized, and processes are constantly being created and tweaked, but there's no overall plan in place to control the whole program. The result is a security program that kind of meets most requirements but still leaves gaps, costs a lot more than it should, and is constantly bypassed by users who are only trying to get their jobs done (if you don't believe that last part, check out the latest study published by RSA that shows 53% of the respondents felt they needed to work around their organization's security policy to get their job done).

So how can you tell if your program has been appropriately planned? It's pretty simple: ask yourself if your organization has a documented security and compliance program plan that's reviewed and updated regularly to reflect changing requirements and threats. If the answer is no, then it's more than likely that the 5 'P's haven't been followed.