SmartAdvice: Add Security Appliances, But Remain Vigilant And Have Backups

Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers two questions of core interest to you, ranging from leadership advice to enterprise strategies to how to deal with vendors. Submit questions directly to [email protected]

Question A: Should we use security appliances for firewalls and VPN access, or would we be better off deploying security software on general-purpose servers?

CSI/FBI Computer Crime and Security Survey documents that security breaches were responsible for more than $140 million in business losses at the 494 companies surveyed in 2004. Clearly, having a good computer-security defense in place is of paramount importance for any business, yet achieving that goal can be challenging. In the past, unless you had a dedicated, highly trained, professional security staff and specialized systems, something would eventually slip past your defenses. Fortunately, the new breed of security appliances now available makes practicing good security hygiene a snap, but there are some worrisome vulnerabilities in taking the appliance approach to solving corporate network security problems.

If you've recently installed a new firewall, VPN, or wireless router, you've installed a security appliance. What makes these new products different is that they're specifically designed to be easy to install and maintain -- they're usually configured and functional in under an hour -- transparent, inexpensive, and able to be upgraded. They're often sold as hardware with an annual software update subscription. Don't even think about cutting costs by forgoing the subscription. The crackers have more expertise and spare time than you do. Take advantage of your appliance vendor's development team, and let them stay a step ahead. Of course, it goes without saying that you need to remember to maintain the system with the latest patches and updates. The products marketed to midsize businesses can generally be configured to update automatically.

Cheap and easy to use, what's not to like about these systems? There are some disadvantages to using security appliances as part of a corporate security strategy. The obvious disadvantage is that the appliance itself becomes a known target for malicious activities. No matter how good the vendor's development team, all security systems have vulnerabilities. It's a matter of time before they become known to the cracker community and exploited.

Another disadvantage is allowing your network security to rely on a single point of failure. If that system is compromised, then the entire trusted network might be open to attack. We recommend continuing to maintain desktop and server-based security software in addition to any network appliance installation.

Security appliances make sense as part of an overall IT infrastructure strategy as long as you remain vigilant. From a business perspective, security is just an expensive insurance policy, so a solution that takes care of the problem transparently and cost effectively seems like a dream come true.--Beth CohenQuestion B: How can we demonstrate the value and justify the cost of our help desk to the business?

Our advice: The help desk is an easy target when cost-cutting measures are instituted. It doesn't generate revenue, and its value to the organization can be easily questioned. In today's cost-focused business environment, those that manage and serve on the help desk need to rethink and rejustify its mission. They need to see beyond its function merely as a reactive vehicle that answers user's requests for help. Instead, they need to reposition the help desk as a proactive IT service that can aid in identifying and driving down IT-related costs.

First, show management how important user support is to the organization. The support of the technology infrastructure is a means to a greater end, which is overall corporate productivity. An organization needs user support.

Second, establish ways the help desk can measure how its function serves to support and aid in the attainment of profit and revenue goals, starting with some basic service principals:

Third, think about how the help desk can assume a more proactive IT-services management role, as opposed to the typical reactive model. Consider turning the help desk into a knowledge center for the firm. Help desks can mine their call databases looking for value-creation opportunities. Examples include:

Instead of reacting to every telephone call, help-desk management needs to begin to identify areas where the help desk can be seen as adding value to the organization. Keep management apprised of your actions. Demonstrate service through well-deployed metric measurements and through a proactive analysis and use of help-desk call data to see where cost savings can be realized. This can clearly demonstrate the contribution the help desk is having to overall enterprise productivity and cost containment. Management can't argue with that.

--Stephen RoodBeth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT-delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.

Stephen Rood, TAC Expert, has more than 24 years experience in the IT field specializing in developing and implementing strategic technology plans for organizations as well as senior project-management and help-desk operations review. His consulting experience has included designing and implementing a state-of-the-art emergency 911 call center for the city of Newark, N.J., and managing technology refreshes for a major nonprofit entertainment organization as well as a large, regional food broker. He also worked at Coopers & Lybrand, General Foods, and Survey Research. He is the author of the book "Computer Hardware Maintenance: An IS/IT Manager's Guide," that presents a model for hardware maintenance cost-containment.