The importance these days of protecting your business from security threats is clear. But how to do it well often remains a vexing problem. Major IT vendors have faced this challenge like everyone else -- but with a twist. As providers of security technology and IT systems vulnerable to threats, they've had to stay a step ahead of everyone else. That's why CIOs of technology stalwarts IBM and Intel and security technology provider Symantec have taken on security management as one of their key functions. All three companies have shared their lessons learned with InfoWorld.

These CIOs have had to do more than take on the usual responsibility for driving their respective companies' efforts to defend their infrastructure, employees, and corporate reputations from any fallout related to data breaches or compliance violations. They've also had to be the in-house beta testers for a generation of new technologies their organizations hope to sell to customers. This balancing act demands more of their time and energy now than at any other point in their careers, all of the executives said.

Security affects all of it
"When I look at the risks here at Symantec, I know that we have to maintain a multilayered approach to protecting our IT assets: our ERP data, intellectual property, customer data, and personnel data. Managing the risk around all of that is a significant responsibility for me and my team," said David Thompson, CIO at Symantec.

"We have multiple large pools of information that are critical to our organization, and we're seeing more of that data move further toward the boundaries, toward the end points," he said. "My job is getting more data into the hands of our business units, but that creates a lot of risk in terms of where it goes, who has access to it, and what they are using it for, along with the risk of it being exposed."

Even Thompson, who ranks his ability to "eat Symantec's own cooking" -- or use all of its security and compliance technologies -- as a huge advantage compared to CIOs working in other firms, admits that trying to keep up with all of the threats and regulations, as well as all the new products, is an effort that can become all-consuming.

The key to staying ahead of the attacks and laws, while not spending too much of his time focused on security, is delegating to a strong team of experts and prioritizing which projects to tackle based on their criticality to Symantec's business. "As a business leader and IT executive, if you take the view of trying to fix everything, you'll never sleep a wink. You have to assess risks, and just as we'll never be able to completely secure our borders in the United States, you have to prioritize efforts to reduce risk as much as possible," Thompson said. "CIOs themselves must have a team that can help carry a good portion of the load so that they can stay focused on business relationships, clearing roadblocks, and being the public face of that team."

Among the most critical roles that any CIO or technology executive must play in aiding the efforts of their security staff is to drive high-level assessments of risk and figure out how their companies must strategize to complete projects that address the most significant threats and compliance regulations, Thompson contended. The most effective strategy, he noted, is to determine which projects most readily address specific threats or government requirements and focus on them, he said. Otherwise, a broad-brush approach to security will lead to unnecessary complexity and eat up all of your time. Thompson also noted that even with the latest security technology available to him, the security strategy is more important than just having good security tools.