As vendors, security industry pundits, politicians, and CISOs fire volleys back and forth over the best way to protect data, attackers are taking advantage of our confusion: The consensus among the infosec community is that 2009 was worse than 2008 in terms of data loss, and that's saying something. Remember 2008? The year 285 million records were breached--a number exceeding all of the records exposed from 2004 through 2007?
Respondents to our InformationWeek Analytics Data-Centric Security Survey know something needs to give--and they hope it's not the gates holding back the marauding hordes.
"Executives would like to believe that we're on par with others in our industry group, but this is not so," says one survey respondent. "I keep pounding the table for an independent evaluation. I know of holes. I fear that it will take a serious breach of [personally identifiable information] before we move forward with more robust security measures." Adds another: "We have cash-flow problems. And there are political problems when risk assessments unearth issues with outside vendors who we thought were properly managing data."
Speaking of outsourcing, we're seeing organizations large and small begin looking at mechanisms to off-load risk. These include the buzzword du jour, cloud computing--really just a bucket description for IT infrastructure, development platform, or software resources provided as a service. Organizations are also looking at third-party data storage and tokenization systems, where a sensitive piece of information, such as a credit card number, is traded for a one-time token that is then used in applications in lieu of the credit card number.
Of course, if outsourcing were anything close to a security silver bullet, we'd all be working for IBM. The reality is, putting large amounts of sensitive information into a few behemoth data centers simply creates bigger targets for attackers. Now, this doesn't mean transferring risk is always a bad idea. Many companies don't see security as a core competency and are better off hiring help. But they must do a darn good due-diligence job, because customers and regulators don't care if data is in your castle or your friend's castle--it's still your responsibility, and you'll be sending breach notifications.
Last year also brought a marked increase of involvement by both federal and state government agencies in cybercrime and cybersecurity matters. The Obama administration appointed Howard Schmidt to oversee the nation's cybersecurity initiatives, and the Senate Judiciary Committee approved two bills that seek to create a unified federal notification standard for U.S. businesses to follow, in addition to imposing prescriptive requirements for corporate data security programs. State legislatures are also getting into the regulatory mix.
We think the only sane response for IT is to adopt a security strategy that's focused on protecting both structured and unstructured data when it's in use by customers or employees, as it rests on network file systems, and as it traverses the LAN or leaves the corporate boundary. "The data-centric security approach is the key to transitioning an IT information security program to enterprise risk management," says Ken Rowe, director of enterprise systems assurance and information security for the University of Illinois. "As a university, we have data distributed across several major campuses, and just protecting devices doesn't scale."
 To read the rest of the article, download a free PDF of (registration required) |
