The new reality for IT security

BOSTON — Security executives from around the country converged in Boston this week to hear how their peers are tackling enterprise security and managing risk.

The Security Standard conference, hosted by Network World and other IDG publications, examined such issues as regulatory compliance, dealing with internal and external threats, working with law enforcement and establishing security best practices.

The conference also provided a forum in which security executives could explore how their responsibilities are changing and how they dovetail with more holistic concerns about corporate health.

Speaker Jason Jackson, director of emergency management at Wal-Mart Stores, said, “We should know what a hazard or risk could mean to our businesses, whether it’s a natural disaster or manmade attack, before it happens. Having a corporate structure in place regarding crisis is sometimes more important than having a detailed plan on how to react to specific events.”

Creating a culture

IT security is primarily focused on protecting the perimeter, but with internal data leaks and security breaches topping the news, security executives today are seeking measures to protect customer data and corporate intellectual property across the organization.

We are still “hard and crunchy on the outside, but soft and chewy on the inside,” said Dixon Greenfield, manager of data center operations at Valmont Industries, a manufacturing company in Valley, Neb. “So I need security at all the layers, but I’ve got certain sets of data that I’d like to have more secure than others.”

Security experts say the trick to building a more security-aware culture is finding the right mix of processes and technology that suit the business, and then educating the IT staff and user community on how to maintain secure practices.

Sean Franklin, an IT security manager at a large financial services firm, said, “People are our weakest links. Most of our wounds are still self-inflicted. Configuration changes that aren’t well thought out and leave us open and exposed in certain areas are still the hardest things to lick.”

Part of the problem lies in the fact that employees aren’t as technology or security savvy as the IT staff and often don’t realize when their actions — or lack thereof — pose a risk.

“They don’t take it as seriously, so getting across the message that little things that have to be implemented and can be irritating is, well, it’s a process,” Greenfield said.

A first step in creating a security-minded culture is making it clear why certain security policies are in place. It’s important to make sure security measures don’t impede business processes, industry watchers say, but if need to, the IT security staff must educate users why they have to take such precautions.

“IT managers assume end users know why they can’t, for instance, download music files,” said Zeus Kerravala, a vice president with Yankee Group. “The end user may think the policy is in place to prevent bandwidth hogging — when really it’s to avoid a specific virus — so they download after hours and still open up their organization to that risk. People are the low-hanging fruit when it comes to security.”