"If you can't afford the security, you can't afford the project," says Rosaleen Citron, CEO of Toronto-based security firm WhiteHat Inc., citing a well-known axiom in the information security industry. On the other hand, "most businesses, big or small, can't afford to defend everything," says Mary Kirwan, an independent security expert in Toronto. Indeed, they would impede their productive business activity if they tried. . . .
Companies, like the humans who make them run, are creatures of habit. Some of those habits can make information systems more secure, rather than less. There's no such thing as absolute security, of course. But the seven best practices of highly secure companies are a standard against which CEOs can
measure their organizations.

"If you can't afford the security, you can't afford the project," says Rosaleen Citron, CEO of Toronto-based security firm WhiteHat Inc., citing a well-known axiom in the information security industry. On the other hand, "most businesses, big or small, can't afford to defend everything," says Mary Kirwan, an independent security expert in Toronto. Indeed, they would impede their productive business activity if they tried.

An effective approach to information security involves making choices. Companies must compromise, deciding what are the most important assets that need to be protected and then deploying a proportionate level of security around them.

1. Assess and audit

Have a risk assessment and a regular security audit performed by an outside pair of eyes. The risk assessment creates an inventory of assets and undertakes a detailed threat assessment. It assigns ratings to threats, and proposes a list of counter-measures. The security audit is designed to show whether those measures have been adequately implemented. How "regular" a security audit should be depends on the business and how much information is being exchanged with customers and suppliers.

The link for this article located at itbusiness.ca is no longer available.