A risk-based approach is needed to protect critical information
Symantec CEO Thompson shortlisted for commerce secretary
It's not a surprise, then, that today's threats target the information itself, and these threats are real and growing. The most recent version of the Symantec Internet Security Threat Report found that in the last six months of 2007, 68 percent of the most prevalent malicious threats attempted to compromise confidential information. According to the Privacy Rights Clearinghouse, the number of exposed records tripled last year.
In the past, our reaction to stats like these would have been simple: build higher and stronger walls. But today, you can't do that and have a successful business. Decision-making depends on access to information. What we need now is a fundamental shift in our approach to IT security – one that takes an information-centric view of security.
With the amount of stored data growing by 50 percent per year, organizations need to take a risk-based approach to protecting their most critical information – from source code to customer information to employee data – while it's at rest, in motion, and in use. To do that, an organization needs to answer a few simple, but important, questions. First, what sensitive information do we have? Second, where is that sensitive information stored? Finally, how is the information being used – both on the network and at the endpoints?
Once these questions are answered, organizations can begin to set policies to help mitigate risks to information. To be effective, these security and data management polices must be aligned with how an organization wants to run its business. To that end, the development of these rules of the road must include the input of all business leaders, not just the CIO and the IT department. And most importantly, the organization's leadership must help foster a culture of security because policies are only as good as the people asked to follow them.
It's important to have the right technologies in place to protect information wherever it may be. Specifically, security and data management solutions must work hand-in-hand to prevent data loss and to make sure that sensitive data is being used by the right people and in the right way. That requires a solution that can discover exposed confidential information and automatically move it to an encrypted storage location or a solution that can trigger an automatic backup when a threat is looming on the horizon.
Then, as organizations gain knowledge of their content, knowledge of their users, and knowledge of all of the devices on their network, an enterprise rights management system will emerge.
I believe we'll eventually get to a system that marries security and information in a more complete and holistic way. But, it will take a while and there are steps we can take today to hasten its arrival.
We need to extend content awareness capabilities more deeply into the mobile environment – to be able to see information sent over Yahoo mail accounts or downloaded to a memory card without traveling through the corporate network. We must improve archiving capabilities. That means being able to make intelligent decisions based on the content itself – encrypting highly-sensitive information, such as your financials, automatically or deleting all those spam and joke e-mails that don't need to be archived at all.
And, above all, IT professionals need to become trusted advisors to their organizations, partnering with business leaders to design and implement a holistic response to protecting an organization's most vital asset – information.
Ultimately, we need to recognize the central truth: you can't secure what you don't manage, and you can't manage an enterprise today without managing your information.