"Welcome to my life over the past eight years," said Andrew Stravitz, who until recently was director of information security for barnesandnoble.com. He detailed some of the steps he made for the online operations of the book retailer, which boiled down to doing more with less. Initially, assisted by only two interns, he was able to build up a network operations center, develop strong policies and procedures, grow the number of customer service representatives from 500 to 1,000 worldwide, and strengthen the company's corporate social responsibility (CSR) program.
Needing to comply with PCI regulations allowed Stravitz to get the budget required to build out this infrastructure, he said. He convinced his bosses of the need for a server and engineering group to protect customers' personally identifiable information and credit card numbers, for example, which he achieved by hiding data in a secure VLAN. The point was to develop security with the assumption that the network would be breached, so his focus was on protecting the data with cryptographic defenses.
Security budgets are growing, but they still aren't where they need to be, said Mark Clancy, managing director and CISO at the Depository Trust and Clearing Corporation (DTCC), the central depository for the United States, which in 2010 processed $1.66 quadrillion in transactions.
"It's not a technical problem, but a business problem," he said. "The scope of the mission has tripled, but budget has only doubled."
The amount of threat activity is "mind-boggling," and increasingly growing, Clancy said. But, he warned, business people don't understand technical language or concepts. It's only because breaches have been making headlines and subsequently bleeding companies of cash in renumerations and penalties, as well as damaging brand reputations, that have finally increased executive awareness of the necessity of protecting data assets.
Clancy said it took him five years to get the budget for what he termed the "Holy Grail of IT," a web application firewall.
The traditional model of IT is gone, Stravitz added. At this point, no one can be trusted on the network, most particularly insiders. By putting controls in place to mitigate the threat from insiders, a company will at the same time be deploying a solid defense to protect against external attempts to break through network defenses, he said.