Organisations using the Internet for business-critical applications such as remote VPN access and e-business solutions must look to build a security infrastructure that balances the contradictory aims of 'keeping the bad guys out' with 'letting the good guys in'. As we explain, a possible framework for achieving this might well be The Security Lifecycle.
Recent Gartner research indicates that two-thirds of UK organisations invest less than 2% of their annual IT budget on network security, whereas the equivalent figure for US blue chip concerns is nearer 7%. Most of the UK investment is in security technology and 'pockets' of security expertise, providing '9-to-5' cover in a 24/7 Internet world.

With a proliferation of attacks emanating from the Internet, and the tangible financial fraud and theft of proprietary information that's virtually a daily occurrence worldwide, 'security on the cheap' is no longer an option. Where and how, though, does the in-house professional start to address this challenge?

The right place to begin is with an understanding of how an organisation is using the Internet for business-critical applications such as remote VPN access and e-business solutions, and build a security infrastructure that balances the apparently contradictory aims of 'keeping the bad guys out' with 'letting the good guys in'. One framework for achieving this is The Security Lifecycle.

Defend, Deter, Enable, Manage
In essence, The Lifecycle identifies the four key components necessary for a comprehensive security solution: namely Defend, Deter, Enable and Manage.

Defend: any organisation that connects to the Internet needs to implement the fundamentals of Internet security – control the traffic that's allowed to pass through the Internet gateway, and provide protection from viruses (this is the 'front line' of any security infrastructure, and involves the deployment of properly-configured firewalls, etc); Deter: the increasing proliferation of attempts to hack corporate networks means that an increasing need for many organisations is to ensure that their network, and all points of Internet connectivity, are actively monitored to provide immediate alerts to any source of attack and identify potential areas of weakness; Enable: the Internet is nothing if not a productivity tool and business enabler, and more and more organisations are using it to provide secure remote and mobile access to corporate networks (it follows that significant additional security precautions are needed to enable this to happen – an increasingly critical part of an organisation's security infrastructure is in place to provide secure access via the Internet using VPNs and strong authentication); Manage: All the security available is only as good as the resources targeted to monitor it 24/7, and the specialist knowledge necessary to analyse incidents and take the necessary actions in a timely manner (the specialist resources and infrastructure needed to monitor, manage and respond are a vital element of The Security Lifecycle – this requires significant investment in a secure operations centre, manned by qualified support personnel on a round-the-clock basis).

Look towards outsourcing
If what's required seems like an impossible burden on the in-house IT and security operation, look towards outsourcing to a specialist provider.

Capitalising on the investments that managed security providers have made in security expertise is not representative of an abdication of responsibility. It makes sense to delegate responsibility to a specialist security partner that can provide all aspects of The Security Lifecycle.