Chief security officers obsess about risk management, and who can blame them? But their inclination toward protectiveness regularly crashes head-on with pressure to spread technology's benefits far and wide.

How do you secure critical information and computer systems while extending your networks' boundaries to accommodate field workers, telecommuters, business partners, contractors and suppliers? At the same time, cyberattacks are growing in frequency, cleverness and severity.

Clearly, security managers must implement a threat management strategy that helps them stay aware of the latest threats and establish procedures and technologies to thwart attacks.

The following advice about defending critical resources comes from two security experts: Alan Paller, director of research at the SANS Institute, a training and education organization for security professionals; and Pete Lindstrom, director of research at Spire Security, a consulting firm.

Paller has culled information from extensive discussions with hundreds of security managers who have participated in SANS' WhatWorks program. He has uncovered some useful and little-known strategies for threat management, which involve anticipating and blocking network-based attacks. And Lindstrom deals with those issues as a consultant.

Find all the open doors and lock them tight

Maintain properly configured systems and stay up-to-date with patches that fix vulnerabilities in commercial software. Those two policies will reduce vulnerabilities on your network, Lindstrom said. They're a vital yet often overlooked first step.

You should fortify the systems under your control before you move into a monitoring scheme to track and identify network and system anomalies, he said.

The best way to ensure that your systems are properly configured is to automatically test, quarantine and disconnect systems that do not meet your configuration standards, Paller said.

For example, strong security policies and standards are at the core of MCI's strategy to reduce threats to the telecommunications carrier's network, said Sara Santarelli, the company's vice president of network and information security and chief security officer. Company officials have created an Enterprise Security Task Force with a steering committee of executives from a cross-section of disciplines, including information technology, security, human resources, law and public policy.

Santarelli said managing the volume of data moving through enterprise networks and responding to the alarms triggered by possible threats can be difficult. Therefore, you should prioritize systems that are susceptible to attack and devote the majority of your resources to protecting them.

"Security should be built out like a wave in a pond," she said.