This year, with all of its data breaches, has certainly proved that network security is much more complex than at past times, when firewalls were viewed as premium defense collateral. What are some methods/policies I should be aware of as I look to spend time (and security budget) in 2008?
The CSO's job has gotten more difficult recently as the focus of risk management has shifted from simply protecting their organization's network and server infrastructure to ensuring the Intellectual Property (IP) that is housed within and communicated across that infrastructure is not getting into the wrong hands.
A company's IP may be more valuable than its physical infrastructure. This is obviously the case in industries such as high technology, pharmaceutical, and biotechnology where the essence of competitive advantage and profits is intellectual property. But even in a number of 'lower tech' industries such as entertainment, retail, and financial services, proprietary content and know-how are keys to success and must be closely guarded.
Two fundamental requirements for the CSO charged with protecting this IP are 1) Knowing what his organization's IP is, and 2) Who should be allowed to receive it. Meeting these requirements pose significant challenges.
According to a recent Enterprise Strategy Group (ESG) report, Extending Intellectual Property Protection Beyond the Firewall (sponsored by Reconnex), about half of the 109 companies surveyed did not have standard policies for identifying and classifying IP. Furthermore, IP classification is a bit of an organizational "hot potato" with responsibility for that classification spread across legal, line-of-business management, IT, and executive management in most organizations. This study also confirmed that more large organizations are sharing their IP with an increasing number of business partners (both domestic and international) in conjunction with outsourcing and offshoring relationships. In fact, about two-thirds of the organizations surveyed reported sharing moderate-to-substantial amounts of IP with their business partners today. Yet, less than half of those surveyed have a formal process for determining which IP can be shared with business partners.
So, what's a CSO to do?
First, you have to learn what IP needs protection and prioritize it based on business impact. This requires meeting with functional managers who are tasked with the creation and use of IP to create an inventory of the type of IP within the organization. There will always be a tradeoff between business imperatives and security, so it is important to distinguish the 'must protect' from the 'nice-to-protect' and focus first on the 'must protect' IP. Automated IP discovery tools can be helpful in assisting in the identification of potential IP that needs protection.
Second, you have to learn which business partners are permitted access to what IP. Again, this requires cross-functional dialogs with business unit personnel who are tasked with working with outsourcing/offshoring partners to determine what information is critical to those partners and what information needs to be restricted from dissemination. In most cases, business managers will not be aware of the full extent that information is being sent to the organization's network of business partners. In this case, it may be helpful for the CSO to provide business managers with reports showing the types of information flowing to external partners so those managers can decide what is appropriate and what is not. Data loss monitoring and reporting tools can be helpful in producing these kinds of reports.
CSOs have a clear understanding of how to protect their organization's computing infrastructure. Their new challenge is to protect the critical business information living within that infrastructure from inappropriate disclosure. This requires the CSO to learn what that critical information is and who is allowed to receive it and then to put in place appropriate technology and processes to educate users and to detect and prevent the leakage of that information.
John Peters is CEO, Reconnex.