It is worth reminding ourselves of the positive value of IT security. The whole purpose of IT is to make information available to those that participate in some way in the activities of the organisation.

Nowadays, electronic communication is likely to extend to customers, investors and partners as well as the more obvious categories of employees and contractors. Security should not be an obstacle to proper access to information, indeed it should be the guarantor of information integrity.

Security is threatened by the pervasive networks that are characteristic of today's world. It also continues to be threatened by traditional risks from people inside the organisation. The greatest benefits will come from IT security when a balanced view is taken of all the risks across the organisation.

That consideration leads to an issue that is increasingly prominent. IT security needs to be built on organisation wide policies, and needs to be managed for the organisation as a whole. It is inevitably difficult to achieve this kind of integration because it cuts across established divisions and responsibilities and is liable therefore to meet a degree of resistance.

It has often been said that IT security is now on a par with the keeping of financial records - it is a basic competence that is required of any organisation. This is true, but it is naturally difficult to generate enthusiasm for expenditure on capabilities that are usually seen in a largely negative light. Organisations that handle large sums of money, such as banks, are traditionally familiar with risk management and the costs it incurs. Other businesses are only gradually becoming more aware of risk management.

In many cases, there will also be a genuine cost saving argument for improved security administration. As discussed above, many IT resources already have at least simple security capabilities, such as user name and password validation. The cost of administering these basic mechanisms is growing fast, as is the indirect cost of failing to enable new access to IT facilities in a timely way.

Centralised administration with delegated management is much the best way to control and reduce costs, at the same time as increasing effectiveness.

When it comes to specific choices for deployment of IT security, these are best made in the context of an evaluation of the risk profile facing the organisation. Different styles of operation and differing ways in which a security breach would cause damage must be brought into account. It may be possible for this evaluation to be carried out internally, but there are good arguments for involving one of the many service organisations that have specialist skills in this area. Their knowledge is valuable, as is their ability to look at the situation with fresh eyes.

Typical organisations will today have implemented only a portion of the techniques discussed here. But most will be actively considering further extensions, and many will be aiming at integrated policies and an integrated deployment.