To be effective, security has to come first

The keys to good IT security are doing your homework early and being prepared, said Keith Young, security manager for Maryland's Montgomery County.

"Security is like a Yugo with a sunroof," Young said in a presentation at the FOSE 2003 trade show. "Eventually something is going to leak through." A good security manager should plan ahead to put off the inevitable for as long as possible, and be ready for it when it occurs.

Montgomery County had the lead in last year's Washington, D.C., sniper investigation and had to share information securely with a variety of agencies within the county as well as local, state and federal organizations in the District of Columbia and two states. At the same time, traffic?and attacks? on the county's Website increased 1000-fold, Young said.

He found there was no one effective solution for securing the multitude of links that was put into use.

"Montgomery County is using everything right now," Young said. That mix, which supports about 2000 users, includes virtual private networks, site-to-site IPSec encryption, Secure Sockets Layer encryption for Web applications and public key infrastructure. None is perfect, he said. For every solution there are problems with interoperability, the need to support client software for a variety of platforms and the threat to internal networks should malicious code breach the perimeter.

To make security work managers must spend time and money up front evaluating vendors and their products, paying attention to company financials as well as to technology. This groundwork might slow down the process of change, he warned. "Sometimes, sticking with your current product might be a good choice."

Another piece of advice was to keep a big bottle of antacid on hand. "I take it on a daily basis," Young said.