Why Technology Isn't the Answer to Better Security

The Big Picture: Technology Reigns

Money really is power, isn't it? When asked to indicate any sources of funding for information security, 57 percent of survey respondents named the IT group and 60 percent cited functional areas such as marketing, human resources and legal as major providers. Just 24 percent indicated a dedicated security department budget.

With the IT group a strong force, technology becomes the answer to many security questions. To someone with a hammer, everything looks like a nail, according to the old saw. Divert potential phishing attacks with spam filters. Stymie laptop thieves by encrypting corporate data.

If there's a security tool out there, our survey pool uses it.

Companies have realized they must do a better job disposing of outdated computer hardware, for example, wiping disks of data and applications. Sixty-five percent of respondents now have tools to do that, up from 58 percent last year. More organizations than ever are encrypting databases (55 percent), laptops (50 percent), backup tapes (47 percent) and other media. Use of intrusion-detection software also is up: 63 percent this year compared with 59 percent last year. And installing firewalls to protect individual applications, not just servers and networks, increased to 67 percent from last year's 62 percent.

That's good stuff.

Despite these technology-oriented gains, though, disturbing trends continue in the areas of security processes and personnel-some negate any protection an IT budget can buy. For example, encrypting sensitive data makes good sense, but such technology can't stop an employee from flouting policies concerning how that data should be handled.

If the goal is to secure information, to make it truly safe, you'd better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information, says Dennis Devlin, chief information security officer at Brandeis University. Devlin reports to Brandeis's vice president and provost for libraries and information technology.

Criminal activity becomes the focus of a lot of what we do in information security. Lock down the Wi-Fi to keep out the bad guy. (Got that, TJX?) But well-meaning people who make bad decisions inflict untold numbers of security incidents upon us, Devlin says. He's seen it at Brandeis, since joining last year, and at Thomson Corp., now called Thomson Reuters, where he was chief security officer for seven years.

For example, employees sometimes fall for e-mail scams and open attachments that unleash malicious software such as key-stroke loggers that record passwords and rootkits that take control of operating systems. Devlin says the job of security managers is to teach self-defense. Rather than warn employees to watch out for the latest e-mail scam bearing a specific subject line, for example, the idea is to teach people broader lessons about the risks of clicking on unfamiliar URLs, opening attachments or handing over Social Security numbers to anyone online, he says.

"It's not possible with technology to protect every individual from every possible security risk," he says. "Our job is to teach people to think the way we think."

Like Brandeis, more organizations seem to be trying that. This year, 54 percent of survey respondents said they provide employees with security awareness training, up from 42 percent last year.

But there's plenty of work to do. Just 41 percent of those surveyed require employees to undergo training on the corporate privacy policy and practices, up incrementally from last year's 37 percent. Forty-three percent of organizations-slightly higher than last year-don't take the simple step of posting their privacy policies on their internal websites.

Furthermore, what's taught at many organizations provides only a veneer of security, namely, compliance with government or industry regulations.

Subscribe to the Security Watch Newsletter

Comments