When you lay down a law, make sure it is not disobeyed
The Art of War
Take for example, the Veterans Administration event in May 2006. Data containing unencrypted names, Social Security numbers and birth dates of all U.S. veterans discharged since 1975 was stolen during a burglary at the Maryland home of a data analyst who works for the agency.
Lots of IT security consultants will tell you that the No. 1 tool to protect data is awareness, yet VA officials said the analyst wasn't authorized to take it home. So, the employee was probably aware but made a mistake.
I read a quote from Robert Garigue, chief security executive and vice president of information integrity at Bell Canada in Montreal: "What it comes down to is information life-cycle anagement".
That's a very nice statement, but I sure as heck don't understand what that means and I doubt my customers do either. All MY customers are still busy with firewall, anti-virus and anti-spyware - a situation echoed by a colleague of ours over at Nextel,the number 2 security integrator in Spain.
Managing information is an operational risk, but are firewalls, anti-virus and anti-spyware relevant to operational risk?
Security technology is seen as a means of defending the organization rather than as a means of improving understanding and reduction of operational risk.
Today’s defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering and at endpoints; removable device control and personal firewalls. The defense-focus is on outside-in attacks, despite the fact that the majority of attacks on customer data and intellectual property are inside out.
For sure, information life-cycle management products can help control access, and regulate flows of sensitive data in order to prevent unauthorized disclosure. However, the process of classifying and monitoring enterprise information is highly complex and expensive, and as
a result has not seen wide customer adoption.
If you're a CIO or CISO, I recommend the following practical strategy:
(which will be a lot cheaper than paying a vendor $5-10M for an enterprise information life-cycle management system)
1. Understand that information security is a major operational risk for your company. You'll find that the CEO appreciates that approach a lot more than your usual spiel about IT security defense-in-depth.
2. Get some software to encrypt data on notebook hard disks - there is lot of
free encryption Tools
3. Give managers corporate USB drives, get the kind that come with encryption. Tell them that use of personal USB drives will be paid for in their performance review.
4. Write an AUP regarding data encryption on notebooks and USB drives. Make everyone sign and make violations and compliance part of the employee's performance review.
Download a free Internet AUP here
5. Realize that 50% of all security breaches are due to exploitable vulnerabilities in enterprise software; in particular Web applications - the bugs are simple, fundamental defects. Call us and we'll help you reduce your operational risk due to buggy software.
