Data Security: Whose Job Is It Really?
Forrester has a recommendation for CISOs struggling with how to secure corporate data:
Stop trying so hard.
Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.
Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization.
Data-Centric Security Is More Important Than Ever--But Harder To Achieve
Today's regulatory climate forces IT security to comply with statutes such as Sarbanes-Oxley and HIPAA, industry-imposed security standards such as the PCI Data Security Standard (DSS), and an unending barrage of audit requests from key customers, banks, and auditors. From Boeing to Petrobras to The TJX Companies, daily newspaper headlines grimly announce the latest toxic data spills, causing increased customer scrutiny.
The pressure on IT security to secure enterprise data in all its forms has reached its breaking point. According to Forrester's Enterprise And SMB Security Survey, North America And Europe, Q3 2008, a huge majority of IT professionals--85 percent--worry about the loss of intellectual property. But IT security staffs are stretched thin and are increasingly challenged to solve an essentially unbounded problem. Organizations today face:
-- Massively increased conduits for information flow. Fifteen years ago, the most common Internet connection was the T1. Today, it is the OC-12--two orders of magnitude more bandwidth. Increasingly, mainstream technologies like virtualization are redrawing the lines between operating systems and the hardware they run on. And the adoption of non-owned IT assets continues apace. The confluence of outsourcing, SaaS, and unmanaged consumer gadgets ensures that IT security's grip on information has never been more tenuous.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
