A recent report from PricewaterhouseCoopers confirmed that most security breaches occur in stored data. Exponential growth in storage capacity, coupled with emerging regulatory requirements, has led to an even greater increase in storage network vulnerabilities. Today, organizations are forced to recognize the critical importance of securing all types of data - from corporate confidential documents to enterprise instant messages to global personnel records. To meet these challenges, organizations must deploy a smarter, more cost-effective approach to security and veer from the prevalent method of developing and implementing patches only after problems are discovered. This article outlines a step-by-step process for organizations to use as they evaluate technology products.

Internal Perspective
Organizations can make better decisions about security products and reduce the potential back-end costs by researching a few key vendor practices; examining the vendor's corporate culture, specifically the security of their development process; insisting on a response plan for times when vulnerabilities are found; and demanding third-party assessments.

When researching information-technology products, organizations must investigate the vendor's security practices and determine the true cost of the product. A product's true cost is often not just the licensing costs, but also the time and money invested in patching a product once a vulnerability is discovered. Organizations need to make educated purchasing decisions rather than dedicate resources to applying patches after procuring a product, a process that can prove more costly in the long run. An educated purchase can prove less costly down the road. For example, the estimated cost to deploy a patch for a recognized software flaw runs on average $900 per server and $700 per client. If an organization misses a patch and gets hit by a virus, the cost will be magnified.

Vendors must demonstrate that security is a priority at each step of product development and delivery. Some software vendors provide training in secure coding practice and compensation tied to secure coding objectives, thereby strengthening the company's security culture. Organizations with a chief security officer and a team that analyzes product development for weaknesses, or hacks its own products, are clearly dedicated to security. It is better that the vendor notice product weaknesses before the flaw causes problems. The vendor should also run its own enterprise on its products; if a company doesn't trust its own products to secure secrets, why should you?

Patch Management
Before signing on the dotted line, organizations should be convinced of two important elements: the vendor has an aggressive plan to handle problems that may arise; and the vendor has a strictly adhered-to incident-response policy to determine the severity level of a vulnerability. These two elements help to mitigate security vulnerabilities should they arise.

Subsequently, the vendor should finish all relevant patches before announcing a security alert. Information distributed randomly to a handful of customers will exasperate rather than calm the situation. Further, the vendor's security policy should treat all customers equally by providing the same level of notice to all customers, regardless of their size or industry.

Validating Security Claims
Third-party validation represents a critical step in purchasing secure products. Vendors that are serious about security will submit their products for rigorous security evaluations conducted by independent authorities. These evaluations are recognized globally by various governing bodies and provide organizations with a level of assurance about the product's features and security claims. Sometimes, evaluators find product weaknesses and vulnerabilities that are corrected before the evaluation is completed or the product is released.

These evaluations are not without a price. However, reputable vendors know that remedying vulnerabilities found during an evaluation is cheaper than fixing a product already in use. For example, while the cost of an evaluation can reach $1 million, the cost to create and issue a patch for multiple versions of a product that is available on 20 different operating systems can easily cost that much, not including the cost of patch application. Clearly, creating secure products is in the best interest of the vendor and buyer.

Although this due diligence adds a step to the product procurement process, it raises the bar for security across the board. If the industry fails to follow these guidelines, it risks government agencies regulating the process. The U.S. government has already instituted compliance regulations such as Sarbanes-Oxley and the Health Insurance Portability Accountability Act (HIPAA) to govern the way the financial and healthcare industries guard their stored data.

Security as a De-facto Purchasing Criteria
"IT" now stands for "infrastructure technology," and needs to be as robust, secure, and reliable as physical infrastructure. We never worry about bridges failing, nor should we worry about some of our most critical IT systems - such as SANs, NAS, DAS, and backup environments - going down because of design defects.

Adhering to these security guidelines and choosing more robust products are prudent moves that will cut costs and improve business in the short and long term.