The focus of network security should shift from securing infrastructure to securing data, and that requires extraordinary marketing measures by IT security staff, according to speakers at the Forrester Research Security Conference Thursday.
"The focus should be we need to protect data vs. secure the infrastructure," says Paul Stamp, an analyst for Forrester.
That is such an important issue for Diageo - the parent company for Smirnoff, Guinness, Bailey's and other brands of alcoholic beverages - that the company has sophisticated, internal marketing videos to promote data security, says Claudia Nadenson, the company's CISO who spoke at the conference.
In addition the company sponsors educational sessions tailored to the regional culture of the branch that is being trained, Nadenson says. For instance, in Jamaica, where the company owns the Red Stripe beer brand, seminars held at beach parties with boom-box music while U.K. workers respond better to a county fair atmosphere where workers walk from booth to booth for briefings, she says.
And prizes work. "We're not averse to giving away iPods if you can recite key areas of a policy. "Our team says we are the corruption and bribery team."
Publicized security breaches can damage corporate brands, she says, so it is important to prevent them. Since some of these breaches can be caused by workers' failure to appreciate security, it is imperative to get them on board with policies, she says.
Stamp says that business units must accept responsibility for the security of the data they generate and control to head off data leaks. "IT people are data custodians, not owners," Stamp says. "We need to transfer responsibility to business people."
To do that, business departments such as finance, marketing and human resources have to perceive IT security as enabling their jobs not as a roadblock preventing them from using potentially productive IT tools, says Nadenson.
She suggests meeting with heads of business departments and listening to their biggest business priorities first and then presenting security as an important element they should incorporate in new projects as they develop them. These meetings should be ongoing to keep security as an important part of the process, she says.
"It's about embedding security in the culture," Nadenson says.
In addition, IT executives need to quantify how well the internal security-marketing is working. "It's not about how many people were put through awareness training; it's about how they've changed the way they work," she says.
In he two years at Diageo, Nadenson says the company has reduced the number of corporate laptops that leave the building in order to protect sensitive data such as projected earnings or the next promotion for a new drink - powerful information in the wrong hands.
The budgets for these efforts should come from the business units themselves or from corporate-wide budgets, she says, but that involves converting executives to believe in the importance of the work. "Don't let them keep you in the back. We are business enablers," she says.
Nadenson suggests some ways to succeed at raising security awareness and business-department ownership of security responsibility for data:
* Demonstrate how security is vital to the success of their initiatives.
* Suggest the technical help you think you can offer.
* Always deliver on that help.
* Follow up to say, "This is what we've done for you." You have to be a spin doctor for yourself.