Security executives from around the country converged in Boston this August to hear how their peers are tackling enterprise security and managing risk.
The Security Standard conference, hosted by CIO and other IDG publications, examined such issues as regulatory compliance, dealing with internal and external threats, working with law enforcement and establishing security best practises. The conference also provided a forum in which security executives could explore how their responsibilities are changing and how they dovetail with more holistic concerns about corporate health.
Jason Jackson, director of emergency management at Wal-Mart Stores, says: “We should know what a hazard or risk could mean to our businesses, whether it’s a natural disaster or man-made attack, before it happens. Having a corporate structure in place regarding crisis is sometimes more important than having a detailed plan on how to react to specific events.”
IT security is primarily focused on protecting the perimeter, but with internal data leaks and security breaches topping the news, security executives today are seeking measures to protect customer data and corporate intellectual property across the organisation.
We are still “hard and crunchy on the outside but soft and chewy on the inside,” says Dixon Greenfield, manager of datacentre operations at Valmont Industries, a manufacturing company in Nebraska. “I need security at all the layers but I’ve got certain sets of data that I’d like to have more secure than others.”
Creating a culture
Security experts say the trick to building a more security-aware culture is finding the right mix of processes and technology that suit the business and then educating the IT staff and user community on how to maintain secure practises.
Sean Franklin, an IT security manager at a large financial services firm, says: “People are our weakest link. Most of our wounds are still self-inflicted. Configuration changes that aren’t well thought out, that leave us open and exposed in certain areas, are still the hardest things to lick.”
The people problem
Part of the problem lies in the fact that employees are not as technology or security savvy as the IT staff and often don’t realise when their actions – or lack thereof – pose a risk.
"“Having a corporate structure in place regarding crisis is sometimes more important than having a detailed plan on how to react to specific events”"
Jason Jackson, director of emergency management, Wal-Mart Stores
“They don’t take it as seriously, so getting across the message that little things that have to be implemented and can be irritating is a process,” says Greenfield.
A first step in creating a security-minded culture is making it clear why certain security policies are in place. It is important to make sure security measures do not impede business processes and the IT security staff must educate users why they have to take such precautions.
“IT managers assume end users know why they can’t, for instance, download music files,” says Zeus Kerravala, a vice-president with Yankee Group. “The end user may think the policy is in place to prevent bandwidth hogging – when really it’s to avoid a specific virus – so they download after hours and still open up their organisation to that risk. People are the low-hanging fruit when it comes to security.” Security managers say communicating with business units before establishing policies will ensure the policies sync up with business processes as well as increase the chances that the groups will follow the mandates.
“There are key partnerships you have to form with the business units so you can educate them and say, ‘look, don’t email this information, come to us and we’ll help you figure out ways that you can exchange this information’,” says Beth Cannon, CSO at investment banking and brokerage firm Thomas Weisel Partners. Setting policies on what can and cannot leave the company in electronic format is an important exercise between the CSO and users, she believes.
"“People are the low-hanging fruit when it comes to security”"
Zeus Kerravala, a vice-president, Yankee Group
“Determine what information may need to be exchanged – because maybe sometimes you don’t need to send a Social Security number. And you definitely don’t need to email it in the clear. Maybe we have an expectation as IT people that everybody should just know that,” Cannon says.
A security culture cannot depend on people and process alone. Technology available today can help automate policy enforcement, data collection and protection and augment companies short on staff. James Ballou heads security for Driscoll Children’s Hospital in Texas and faces the challenge of securing new technologies such as wireless – which he deems critical for bedside patient care.
By adding Cisco’s Security Monitoring, Analysis and Response Systems (MARS) to detect anomalies in network traffic, Ballou says he can better secure his network.
With limited staff, the IS security specialist and Health Insurance Portability and Accountability Act (HIPAA) security officer says he depends on technology to provide information that would take him too long to decipher.
“MARS is looking at data from all different sources, gauging its potential risk and correlating that to help me determine, where did it come from, what do I need to do to mitigate the risk and how can I avoid this in the future?” says Ballou. “HIPAA compliance requires a minimum standard of security for us to meet but we want to operate on a higher level than that. I need proactive, consistent threat management and pre-programmed responses built into our system to mitigate issues.”
Saving future costs
Companies that start honing their security practises today will save money tomorrow. While most companies spend about 3 per cent of their total IT budget on security, those that crank the investment up to around 8 per cent will – within 18 to 24 months – spend less on total security expenditures, according to research firm Gartner.
“Security today requires organisations to raise the culture of IT to do things more securely, not to change how others work,” says John Pescatore, lead security analyst at Gartner.
“Expecting end users to think about security in the way that IT needs to will fail. End users shouldn’t have a choice when it comes to operating more securely, the network, systems, IT team should make those decisions and they should be transparent to end users.”
"“I need proactive, consistent threat management and pre-programmed responses built into our system to mitigate issues”"
James Ballou, head of security, Driscoll Children’s Hospital
Pescatore recommends updating systems to Simple Network Management Protocol Version 3, encrypting all email to reduce the risk of data leaks and leaning on software vendors during licensing negotiations to prove their products are secure. “If you make your equipment more secure, if you have more secure systems, then you won’t have to deal with as many issues and invest in more technology,” he says.
On the vendor front
Cisco and Microsoft announced they will make their network access-control products interoperable using Vista Server, supposedly due next year.Some industry watchers say the partnership is a sign of things to come. “There has been a shift in Cisco over the past few years. The company is not as hell-bent on doing everything themselves; they are partnering more and especially in the area of security,” says Yankee Group’s Kerravala. “The vendors are starting to hear the cries from their customers that they don’t have just one vendor in their environment and those they do have need to do the work on integrating security and other functions and making it easier for the customer to deploy,” says Gartner’s Pescatore.
Changing CIO security priorities
2005 to-do list
1) Disaster recovery/business continuity
2) Employee awareness programmes
3) Data backup
4) Overall information security strategy
5) Network firewalls
6) Centralised security information management system
7) Periodic security audits
8) Monitor employees
9) Monitor security reports
10) Spending on intellectual property protection
2006 to-do list
1) Data backup
2) Network firewalls
3) Application firewalls
4) Disaster recovery/business continuity
5) User passwords
6) Monitor security reports
7) Periodic security audits
8) Secure remote access
9) Spyware/adware/spam detection tools
10) Monitor compliance with security police and employee awareness programmes