The new reality for IT security

BOSTON — Security executives from around the country converged in Boston this week to hear how their peers are tackling enterprise security and managing risk.

The Security Standard conference, hosted by Network World and other IDG publications, examined such issues as regulatory compliance, dealing with internal and external threats, working with law enforcement and establishing security best practices.

The conference also provided a forum in which security executives could explore how their responsibilities are changing and how they dovetail with more holistic concerns about corporate health.

Speaker Jason Jackson, director of emergency management at Wal-Mart Stores, said, “We should know what a hazard or risk could mean to our businesses, whether it’s a natural disaster or manmade attack, before it happens. Having a corporate structure in place regarding crisis is sometimes more important than having a detailed plan on how to react to specific events.”

Creating a culture

IT security is primarily focused on protecting the perimeter, but with internal data leaks and security breaches topping the news, security executives today are seeking measures to protect customer data and corporate intellectual property across the organization.

We are still “hard and crunchy on the outside, but soft and chewy on the inside,” said Dixon Greenfield, manager of data center operations at Valmont Industries, a manufacturing company in Valley, Neb. “So I need security at all the layers, but I’ve got certain sets of data that I’d like to have more secure than others.”

Security experts say the trick to building a more security-aware culture is finding the right mix of processes and technology that suit the business, and then educating the IT staff and user community on how to maintain secure practices.

Sean Franklin, an IT security manager at a large financial services firm, said, “People are our weakest links. Most of our wounds are still self-inflicted. Configuration changes that aren’t well thought out and leave us open and exposed in certain areas are still the hardest things to lick.”

Part of the problem lies in the fact that employees aren’t as technology or security savvy as the IT staff and often don’t realize when their actions — or lack thereof — pose a risk.

“They don’t take it as seriously, so getting across the message that little things that have to be implemented and can be irritating is, well, it’s a process,” Greenfield said.

A first step in creating a security-minded culture is making it clear why certain security policies are in place. It’s important to make sure security measures don’t impede business processes, industry watchers say, but if need to, the IT security staff must educate users why they have to take such precautions.

“IT managers assume end users know why they can’t, for instance, download music files,” said Zeus Kerravala, a vice president with Yankee Group. “The end user may think the policy is in place to prevent bandwidth hogging — when really it’s to avoid a specific virus — so they download after hours and still open up their organization to that risk. People are the low-hanging fruit when it comes to security.”

Security managers say communicating with business units before establishing policies will ensure the policies created sync up with business processes — as well as increase the chances that the groups will follow the mandates.

“There is a key partnership you have to form with the business units so you can educate them and say, ‘Look, don’t e-mail this information, come to us and we’ll help you figure out ways that you can exchange this information,’” said Beth Cannon, CSO at investment banking and brokerage firm Thomas Weisel Partners in San Francisco. Setting policies on what can and cannot leave the company in electronic format is an important exercise between the CSO and users, she said.

“Determine what information may need to be exchanged — because maybe sometimes you don’t need to send a Social Security number. And you definitely don’t need to e-mail it in the clear. Maybe we have an expectation as IT people that everybody should just know that,” Cannon said.

Adding technology

A security culture cannot depend on people and process alone. Technology available today can help automate policy enforcement, data collection and protection and augment shops short on staff.

James Ballou heads security for Driscoll Children’s Hospital in Corpus Christi, Texas, and faces the challenge of securing new technologies such as wireless — which he deems critical for bedside patient care.

By adding Cisco’s Security Monitoring, Analysis and Response Systems (MARS) to detect anomalies in network traffic, Ballou said he can better secure his network. With limited staff, the IS security specialist and HIPAA security officer says he depends on vendor technology to provide information that would take him too long to decipher.

“MARS is looking at data from all different sources, gauging its potential risk and correlating that for me to help me determine, where did it come from, what do I need to do to mitigate the risk and how can I avoid this in the future,” Ballou said. “HIPAA compliance requires a minimum standard of security for us to meet, but we want to operate on a higher level than that. I need proactive, consistent threat management and pre-programmed responses built into our system to mitigate issues.”

Industry watchers say companies that start honing their security practices today will save money tomorrow. While most companies spend about 3% of their total IT budget on security, those that crank the investment up to around 8% will — within 18 to 24 months — spend less on total security expenditures, according to research firm Gartner.

“Security today requires organizations to raise the culture of IT to do things more securely, not to change how others work,” said John Pescatore, lead security analyst at Gartner. “Expecting end users to think about security in the way that IT needs to will fail. End users shouldn’t have a choice when it comes to operating more securely, the network, systems, IT team should make those decisions, and they should be transparent to end users.”

Some first steps Pescatore recommends include updating systems to Simple Network Management Protocol Version 3 (SNMPv3), encrypting all e-mail to reduce the risk of data leaks and leaning on software vendors during licensing negotiations to prove their products are secure.

“If you make your equipment more secure, if you have more secure systems, then you won’t have to deal with as many issues and invest in more technology,” he said.

On the vendor front

Cisco and Microsoft used the event to announce they will make their network access-control products interoperable by the delivery of Vista Server next year, an example of how vendors are increasingly willing to make sure their products work together to secure customer networks.

The agreement would have Cisco gear working with Microsoft systems to screen devices attempting to gain access to a network. Industry watchers say the partnership is a sign of things to come.

“There has been a shift in Cisco over the past few years. The company is not as hell-bent on doing everything themselves; they are partnering more, and especially in the area of security,” Yankee Group’s Kerravala said.

Cisco CEO John Chambers, who delivered a keynote address at the show, described IP mobility and collaboration technologies as one of the largest IT security challenges facing enterprises, and possibly one of the greatest tools for converging physical and digital security.

Chambers outlined the benefits of “quad-play” — or the combination of data, voice and video with mobility — and the security challenges associated with having a mobile workforce that accesses, shares and spreads data and information via a growing number of IP-enabled devices, and across multiple networks.

“The opportunity for harm, either by deliberate action, or by neglect, becomes much higher,” as an enterprise workforce has easier access to data, and the ability to easily share information via IP communications, Chambers said.

That opportunity for harm may translate into an opportunity for Cisco to make money in the security market with products and partnerships, but it also means customers can hope to see more integration among Cisco and other vendors — as well as interoperability efforts within the vendor community as a whole — when it comes to securing their gear and systems against internal and external attacks.

“The vendors are starting to hear the cries from their customers that they don’t have just one vendor in their environment and those they do have need to do the work on integrating security and other functions and making it easier for the customer to deploy,” Gartner’s Pescatore said.

Senior Editor Phil Hochmuth contributed to this story.

Related:

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022