Enterprise security remains a balancing act

The sheer size and complexity of today's largest enterprise businesses makes it nearly impossible for such organizations to keep up with the rate of change in IT security, requiring a top-down strategy that prioritizes risk and accepts the limitations of available technologies, according to a top executive at financial services giant Morgan Stanley.

Presenting to the assembled crowd at the ongoing Usenix Security Symposium in Boston on Thursday, Jerry Brady, global head of IT security at Morgan Stanley, painted a bleak picture of the situation faced by large enterprises in trying to balance defense of their computing systems with keeping operations up and running to support business activities.

From the challenge of finding software developers who understand the security implications of their work to studying the geopolitical forces at play in all of the corners of the world in which Morgan Stanley does business, Brady said that his company's efforts to lock down IT systems are almost constantly in flux.

Only through the adoption of high-level policies and controls aimed at fostering flexible security practices across the organization and via more aggressive sharing of information about threats with other businesses -- and law enforcement agencies -- can large companies effectively improve their protection and continue to do business as usual, he said.

Keeping up with all the product security patches issued by mainstream IT providers and adopting all the latest systems defense technologies are impractical tactics for companies like Morgan Stanley, which employs roughly 70,000 people worldwide and controls roughly 100,000 different computing devices, Brady said.

Establishing a strategy that involves near constant refining of security policies, includes heavy amounts of research into emerging threats, and is built around assessment of how any IT work might impact business operations is the key to balancing the entire equation, he said.

At the end of the day, the notion of making an enterprise completely secure from attack is impossible to achieve based on the scale and diversity of the systems employed by such companies and the multitude of threats they are dealing with, according to the executive.

"Depending on the theater of operation or part of the company you're looking at, you will find incredible degrees of variety in terms of the security that's being required," said Brady. "We try to pull this together into something that works by using a policy-driven, versus technology-driven, approach that establishes security controls that people can localize."

Adding another degree of complexity to the issue is the near constant rate of mergers and acquisitions carried out by companies like Morgan Stanley with each individual firm bringing their own specific IT footprint into the larger picture, including whatever technologies they have chosen to use, said the executive.

The notion of patching every Windows system in the company after Microsoft issues its monthly Patch Tuesday security bulletins is impractical for reasons related to asset logistics as well as the need to keep IT systems up and running to support Morgan Stanley's internal users, partners, and customers, he said.