June 01, 2009, 9:56 AM — What is enterprise data security?
Here's a typical enterprise data security scenario in corporate America today: There are three people who access a company's data stores. The first, a sales manager, sees the opportunity to match products with paying customers, based on their buying history. The second, a business manager, sees the opportunity to catch the competition flatfooted with unique market intelligence. The third is a hacker who just sees malevolent opportunity.
Your job is to deliver useful information to the first two in real time while denying the third access, information and, if possible, his freedom. How you do that is called enterprise data security.
Most people think tactically about security, yet effective security decisions originate with policy. It pays to take the long view with security, arm yourself with security-product platforms, and defend your company by first shoring up your weaknesses.
Here are some questions to keep in mind when discussing enterprise data security:
Should I focus on the big virus threats or on the broader task of securing my data?
Data security should always be your primary focus, says Jonathan Penn, a security analyst and vice president with Forrester Research.
Threats, like the conficker virus that gathered much attention in the spring of 2009, are topical and, in a perverse cultural sense, sexy. That's what F.U.D. (fear, uncertainty, doubt) is. And there is a satisfying impact when you bring them up in senior staff meetings. They also get a lot of attention in budget discussions.
Of course, you have to take them seriously, but reacting to threats is by definition falling behind events. And while a coherent data-security strategy won't immunize you against every threat, it will prepare you for attacks and internal mishaps, which will lessen their impact.
There's no way to overspend on security, right?
Hold on. Time for an analogy: Every major city in the world has one residential address that's more of a bunker, ready for a siege fit for a Peter Jackson movie. Not only are the chances of such an encounter astronomical, some of these armaments don't even work (thankfully).
Yes, your most precious commodity is your employees' and customers' data, but you can spend too much on security. And if you are listening close enough, you might even know when you're overdoing it.
"Your sales force will let you know," says Gartner security analyst John Pescatore. Put too many hoops between them and the customer database, and you'll slow their ability to sell. That makes for unhappy employees--and fewer sales.
Pescatore says you have to challenge new security procedures and tools for effectiveness as well as overzealousness.
"Ask the question," Pescatore says. "Why are we making the sales staff use three passwords and a token to get to their information?" It's probably over the line and probably wasting time and resources.
You're continuously balancing the need to safeguard data with efficient information access. It means exhaustively researching products that are best suited for your particular operations. It means training everyone about their responsibilities. It means following up with network monitoring and refresher classes.
Pescatore says the typical enterprise is spending 6 percent to 7 percent of the IT budget on security, not counting business continuity or disaster recovery expenses. That's equal to about .4 percent of revenue. (While it may not be the best comparison, he says, typical retailers spend 1.5 percent of revenue to keep shrinkage, or losses due to theft, stable at that 1.5 percent mark.)
Can I safely cut my security budget?
Surprisingly, yes, it's possible. Two ways come to mind: Always know your systems, and spend wisely.
First, find your vulnerabilities before your enemy does. Think of your organization as an onion. Every layer, all the way down to the core--which might be individuals and their contact with the outside world--can have vulnerabilities. Each vulnerability has to be identified and resolved.
Gartner security analyst John Pescatore recalls one organization that reduced its security budget and even support spending by consolidating its many Microsoft Windows images, or versions of Windows, to just two or three.
This strategy is almost always going to be less expensive and more effective than buying an application that merely tries to shield or ameliorate vulnerabilities.
Assuming you've analyzed your systems (and that you do it regularly), look at your buying strategy. Like those companies with numerous Windows images, many are freckled with point products. They are not coordinated, some are outdated and others are outright redundant.
Instead, think in terms of platforms for discrete functions. Replace a hodgepodge of products with, for example, an e-mail security platform, a Web security platform, and a wireless security platform.
How do I get the CEO to buy into on my strategy?
First, says Jonathan Penn, a security analyst and vice president with Forrester Research, realize that "you can't convince people about security priorities." A lot of times, it's an emotionally charged issue. "You can only educate them," he says. Tell them about precautions that your competitor or industry is taking, for example.
And don't assume that savings will win you quick approval. It's counterintuitive to think spending less could deter threats. Just be ready to show in detail how your strategy--whatever the cost--covers you for known threats and creates a foundation on which you can mount an immediate defense against as-yet unknown vulnerabilities.
I'm looking long-term. My systems are platform-based. My security stance mirrors the threats. Do I still need to focus down to the individual packet level?
Affirmative. You need to know if critical data is going places you don't want it to go--even if it's just between internal departments. One company found out that customer service reps were distributing customer data among themselves, not even knowing that that was a violation of protocol.
And in an era of portable devices and cloud computing, you need to know when something connects to your systems, whether that device or person is cleared, and if the device itself has adequate safeguards.
Should I derail a project nearing completion to insert security measures?
Trick question. Short of lighting fires in all the recycling bins to get your CEO's attention, you should do everything in your power to stop projects that will endanger your customers' information (and by extension, your company).
But you can't let that situation occur in the first place. If a proposal is solid enough to show the CEO, it should arrive with security already baked into the details. In fact, security needs to be a standard litmus test, just like ROI is (or should be), for whether the idea makes it out of a department or division.
You might hear that one project is essentially the same as another one that got a green light six months ago. Don't waver. Security challenges mutate like the flu. And no two projects are alike, which means there are new vulnerabilities with each one.
For more on Enterprise Security, see CIO.com's Security Drilldown.