As enterprises rush to exploit the business opportunities, determined insiders and outsiders may seek to exploit vulnerabilities. Consequently, the potential of emerging technologies marks a fundamental change in how organisations should approach accompanying security challenges.

It is observed globally that data security and information privacy, along with the need to protect IT infrastructure from the ever increasing sophisticated and targeted attacks, are among the key drivers fuelling the growth of IT security spending.

According to Gartner, the worldwide security software market revenue totalled $13.5 billion in 2008, an increase of 18.6 percent from 2007 revenue of $11.3 billion. Analysts opine that there is an increasing demand for appliance-based products, particularly within certain segments such as, e-mail security and secure Web gateway and applications markets. A double-digit growth in a challenging economic climate shows that security remains a key priority for CIOs and IT security leaders.

It is strongly suggested that security practitioners must escape the ineffective and reactive loop of traditional approaches by proactively engaging with key business units; getting involved earlier with the information technology development life cycle; and including more deterrence and preventive measures in the protection posture.

Enterprises approach to countering security breaches must also change. It is important to have a vision and the ability to think like an attacker while planning an information security strategy.

Enterprises that are serious about improving security need to first change their attitude towards it. Even now information security is something that only the IT personnel worry about, and they are often the (only) ones who take decisions related to security along. Security has to move away from being a technology issue and become a business issue. The reason for this is that IT personnel miss out on the business objectives or business processes when making decisions about solutions procurement and deployment. Information and data security is often left to the administrators, who managing corporate IT assets and infrastructure. CIOs should proactively make this security controlled through a procedure or framework designed and implemented specifically for their organisational needs and demands. This process should actively involve employees from different departments and levels, customers, and all entities that deal with the organisation.

There is also a consensus among auditors that the approach to information security is not appropriate. For instance, security is either too tight or too lax. This calls for a right balance – systems should be configured to let in business associates and at the same time keep out intrusions from hackers and other malwares. Enterprises irrespective of their size and verticals may follow simple two fold approach and build a framework on it further. This includes identifying enterprise IT infrastructure and assets and classifying them. Ideally, security should protect your assets and not hinder it.
Attackers can exploit the social weaknesses of the enterprise and use it to extract personal and competitive corporate information. This makes information security not just a technology issue but a people and process issue and this is what CIOs and CISOs need to explain and percolate it to their respective board of directors, CEOs, and employees alike. The answer to this is continuous education and awareness.

Security policy is not the last and final word. It is a master plan and CIOs needs to strategically evolve it based on their business and enterprise alterations. Security can never be achieved through a single tier of defence. The measures for enterprise risk mitigations includes:

* Administrative measures
* Physical measures
* Technical measures

Administrative measures consists of policies, procedures, standards and guidelines; personnel screening, security awareness training.

Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection, environmental monitoring.

Technical measures will include logical access control, network access controls, identification and authentication devices and data encryption.

Designing, documenting, implementing and monitoring security policies is a lot of administrative work. In fact, security is 75 percent administrative grind and only 25 percent technical efforts. Not a very glamorous affair, but essential. Policies are the preventive controls. An ounce of prevention is better than a pound of detection and correction.

Finally, though these methods are good enough to ward off most attacks, they are not foolproof.