Tom Kendra, Group President, Symantec Corp. —
While increased internet connectivity has fundamentally changed the way we do business, it also has introduced new security and IT risks that make yesterday’s approach to security ineffective. Just as new ways of doing business were ushered in with Web 2.0, next-generation security practices must be adopted to ensure a more enlightened era of enterprise security.
Call it Security 2.0—an evolution in security that focuses not only on protecting systems and keeping hackers out but also on securing information and interactions. Security 2.0 is driven by policy, enabled by technology and strengthened by a well-managed infrastructure.
All large and publicly traded companies have IT and security policies they need to enforce. Developing security policies to meet the requirements of external regulations can be difficult and costly. Typically, these regulations do not include specific recommendations on what technologies and procedures a company should put in place to achieve and demonstrate compliance. Basing a security policy on frameworks such as ITIL, COBIT and ISO provides specific guidelines on what information a company needs to secure and what IT controls to implement.
In a Web 2.0 world, security policies must focus not simply on protecting devices but on securing information. After all, the primary purpose of the devices and systems that make up an IT infrastructure is to carry and contain the organization’s most valuable asset—its information. Consequently, a security policy must help organizations manage and control both inbound and outbound content to protect them from the inadvertent or intentional distribution of confidential and sensitive information.
The growing sophistication of today’s attacks and the varied risks that businesses face in today’s connected world calls for security that is both scalable and layered. In addition, businesses must operationalize security by standardizing and automating the processes and the software. This will allow organizations to drive down the costs of day-to-day security activities so they can be more proactive when it comes to protection.
Companies need to have adequate antivirus, antispyware, and other signature-based protection in place. However, these measures are no longer enough on their own and must be layered with more proactive types of protection such as whitelisting or behavioral-based protection that analyzes patterns and reputation to block targeted threats before they happen.
Protecting the network must also be considered. Technologies like Network Access Control and anti-spam appliances are becoming commonplace within large and mid-size businesses to prevent bad things from entering the network. Data loss prevention (DLP) solutions are ideal for protecting the good things—sensitive information like customer credit card data or intellectual property—from exiting through the network.
As security becomes a foundational component of business, the traditional way with which companies manage it must change. A next-generation security strategy should embed security throughout an organization’s business processes. Security policies, workflows and technologies must span disconnected organizations to address the interconnected risks that threaten the organization as a whole, because the organization is only as protected as the weakest link in the security chain.
Tom Kendra is Group President, Security and Compliance Management Group, at