Security chiefs share pains of being caught in the middle

Corporate security experts face a crisis as they are caught between regulators demanding better accountability for data security and the need to keep businesses up and running with the help of many business partners, an American Express security executive told Interop New York attendees Tuesday.

As more data is housed at least temporarily outside corporate data centers, it becomes more difficult to comply with industry and government regulations, according to Steven Suther, director of information security management for American Express.

“Tell me where your data is and how it is being secured,” regulators want to know, he says. “So we need to define at what point is information outside our domain and how is it being protected.”

But businesses have very little control over how partners with whom they must share data protect it, he says. Amex asks its vendors to self-assess their security and if it comes up short, Amex will conduct on-site visits to assess the security in person. “We’re testing their controls so we can tell regulators we’re comfortable with what they are doing,” Suther says.

Amex has designated vendor-relations managers who are responsible for ensuring that data controls are in place for a specific list of firms that Amex has hired to perform financial services jobs, he says.

The problem is complicated by whether the tools needed to protect data are available and affordable, says John Pironti, a principal for enterprise and security architecture for Unisys, and what combination of protections is considered sufficient by regulators. “What is good enough that everyone can agree on,” Pironti says.

It is difficult to take the requirements of, say, Sarbanes-Oxley, and translate that into security policies, Suther says. “We’re all suffering the same kind of lack of confidence in what we should be doing,” he says.

Suther says he struggles to balance imposing security on his financial services vendors and allowing them to do their jobs so Amex’s financial services business keeps running. “I have to be flexible right now if I want a universe of vendors for my business departments to choose from,” Suther says.

In practice, businesses are not imposing all the security they might or only doing so for the most important data, says Alex Van Deusen, a senior security consultant for Cisco. “They’re just not rolling it out to every level of their enterprise,” he says of businesses he has consulted with.

Regardless of the technology in place to protect data, people still represent the biggest threat, says Alex Ryskin, IT director for the laser laboratories at the University of Rochester in New York. End users must face penalties if they fail to follow security policies so they recognize their importance and follow them, he says. “You would be shot – literally – in Soviet Russia,” where he lived for 40 years, he says. “It did work.”

And U.S. corporations are starting to get tough themselves, says Van Deusen. “You need severe penalties, clearly defined: you are going to get fired,” he says.

Suther says that less drastic means can help enormously, particularly educating users on the risks and consequences for the business if security is breached. “It’s one of the few areas where we feel we can do the most,” he says.

He recommends that businesses set up goals for data security and review how well they have worked every six months, with the goal of gaining better and better compliance over time. It is particularly important for business executives to be on board. They recognize the need for better security, and want to avoid devastating bad publicity if private data is compromised.  But they also want no negative effects on their business processes.

“We want to be able to say, ‘Things have gotten better and you have not ended up on the front page of the Wall Street Journal,’” he says.