Commentary: People, process secure businesses

Michael Rasmussen, Director, Forrester Research

Companies need a plan to respond and should not rely on products alone for protection.

This is a people and process problem. The Microsoft vulnerability is a significant exposure into every operating system running the NT code base from NT to 2003. The Cisco vulnerability is an exposure that could crash every router.

		Related story Security pros talk, but can they walk? A new national policy and months of Microsoft initiative haven't shown a significant improvement in security.

Vendor claims are far-fetched and provide a false sense of security. No vendor today resolves these vulnerabilities, except Microsoft and Cisco with the patches they implement. Security vendor solutions may hold back the evil hordes of hackers should they come knocking, but the deviants will break through given enough time and motive.

The only true answer is to patch systems. Organizations should focus on the process and policy portion of security as much or more than the technology aspect. Do not put blind trust into security vendor claims of protection. Rather, honestly evaluate how the product works and the time it potentially buys you.

Develop a patch management process based on business risk, so the critical business applications and support systems (network, desktop, for example) are expedited and patched in accordance with the risk the organization faces.

© 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.