As the year ends, we encourage you to take a step back from your day-to-day challenges, assess the current state of your information technology, and consider where you’d like to be a year from now.

But where to start? My advice: go back to basics. Examine the performance of your core functionality, asking these questions about:

• The overall health of your network. Have you been diligent in monitoring and maintaining your infrastructure? Will your network be up to your 2007 performance-level needs?
• Security. Are your procedures and processes in place and up-to-date?
• Application performance. Is your user community happy with your systems and network response times?
• Backup, recovery, and business continuity. Do you know how you’ll continue to do business if a major system — including servers — goes down? Are you prepared to recover from failures impacting email, your phone system, customer-facing web services?

Using independent expertise to conduct such an assessment will give you a clear, unbiased IT picture and help you decide where you need to allocate resources. It can also help you determine which issues are best resolved in-house and where your organization can benefit from additional independent expertise.

I was lucky enough to recently take part in a roundtable discussion of an FBI cybercrime survey. One finding stood out: those companies investing the most in protection also reported the most security-related issues.

What does this mean? Is there some way that more security actually attracts attacks?

Well, no - just the opposite, in fact. Companies without adequate resources devoted to security are being attacked — they just don’t know it. The lack of a security solution isn’t protecting them. The lack of information is blinding them.

Even companies who’ve invested — sometimes heavily — in security point solutions suffer from security information problems. In such cases, there’s too much information.

That’s because security point solutions’ event logs make no distinction between serious problems and minor ones. The answer is, of course, to analyze these events over a specified timeframe, correlating them to a vulnerability index that prioritizes them. Thus armed, security managers have a much-improved grasp of the threats they face and where their vulnerabilities lie — and can focus their security resources accordingly, often reducing security costs.

But this takes both substantial effort and significant expertise. I strongly encourage exploration of these issues within one’s own organization at any phase — whether for analysis, planning, design, implementation, operations, or optimization. For many, the most cost-effective way to do this is via an experienced, trustworthy managed security services provider.