Why Technology Isn't the Answer to Better Security
Protect Information, Not Just Systems
Where data is and where it's going constantly worries information security managers. Thirty-eight percent of the managers we surveyed said they experienced one to 49 security events in the past year, and another 35 percent say they don't know whether they have been hit. Those figures are close to last year's results.
Among those in our survey who experienced incidents, 39 percent found out about them via server or firewall logs and 37 percent used intrusion detection or prevention systems. But a significant number-36 percent-say a colleague clued them in. These figures reflect an unchanging trend showing that the human element is just as important as any technological one when it comes to good security. More evidence of the need for diligent and repeated employee training.
Investing employees with responsibility for keeping data correct and protected is the best way for a company to guard against security threats, says Tim Stanley, CISO at Continental Airlines.
Stanley wants to categorize every file in the enterprise by three variables: owner, business value and risk level. The government has "top secret," "secret" and "confidential" ratings, but Continental's designations will be more granular and dynamic, using tiers and subsets of tiers. Thinking this way vaults Continental ahead of most companies. Just 24 percent report that classifying the business value of data is part of their security policies. While 68 percent classify their data according to risk level, at least periodically, 30 percent don't ever do it.
The complexity of such a project explains the low numbers, Lobel says. "Doing this project is a lot of effort, and unless there's a regulatory need for it, many don't do it."
Stanley expects the project to take three or four years. "Anything that keeps planes in the air and money coming through is Tier 1," Stanley explains. That would include information about crew scheduling, and cargo and fuel needs, as well as credit card processing information. Tier 2 or 3 is still important to protect, but not critical to keeping planes aloft, for example, providing employees access to their 401(k) accounts.
Security technology and procedures will correspond to the risk and tier level in which a given piece of data falls, as defined by the data owner. Tier 1 might mandate twice-a-day backups and two-factor user authentication, he says. "I can expend my resources more appropriately to our data's value and therefore save the company money," he says. "Stop spending $10 to protect $5 worth of data." Music to an airline CEO's ears, no doubt.
Which Brings Us Back to Money
With security budgets averaging $1.7 million, an optimistic 44 percent of those surveyed said their information security spending would increase this year, while 4 percent expected a decrease. Where will the money go? We see glimmers of hope. Top priorities in the coming year include hiring information security consultants and hiring a chief information security officer. Respondents also plan to develop security procedures for handheld devices and create an identity management strategy. They expect to invest in technologies, including biometrics, to tighten access to sensitive data, as well as in data-leakage prevention and security event correlation tools to start analyzing what works and what doesn't on which kinds of security problems.
These steps, Lobel says, will get companies closer to a comprehensive security strategy. Already, he notes, 40 percent of organizations use security as a marketing point, usually soliciting business on the grounds that they protect customer data better than their rivals. "But it's only a competitive advantage if it works, if it's good security."