Rethinking the data security box

Computer security can be a difficult problem to get a handle on, so sometimes it takes some creative thinking. I would say it involves "thinking outside the box," but that's a little too trite and overused.

I think of it in a more Zen-like manner -- rethinking the whole box.

I'm sure there's a business book title in that idea somewhere, like Rethinking the Box or Good to Great Boxes. Maybe Who Moved the Box? or Rich Box, Poor Box. Or even Harry Potter and the Magician's Hidden Box.

Something like that.

That kind of rethinking usually comes from smaller, leaner, meaner, and more entrepreneurial companies, such as the once-small Apple Computer or Dell. But it can come from large companies, as well, even from several large companies. This is demonstrated by the creation of the Data Governance Council, a global effort to protect personal and organization data within and between enterprises.

IBM along with a few other IT organizations and several dozen companies, including American Express, Key Bank, Merrill Lynch, TIAA-CREF, and the World Bank, created the council. Their goal? To help technology users find better ways to protect their data against hacker attacks and other security breaches.

The council is working to create a blueprint for the governance and protection of data within companies as the amount of business data continues to grow. According to Gartner, by 2012, companies will need to handle 30 times more business data than they did in 2004.

Data governance looks at how companies permit and govern appropriate access to their critical data by measuring operational risk and mitigating security exposures associated with access to data, said Stuart McIrvine, director of corporate client security strategy at IBM.

Top governance issues that the council will explore include security, privacy, compliance, and risk challenges that need common solutions and standards, as well as misunderstandings regarding organizational and IT roles and behavior, which can potentially cause data exposures, McIrvine added.

"Most companies haven't taken a real data-centric view of their security issues," McIrvine said. "We want to begin building a blueprint where security is thought of from day one, at the beginning of a project."

That doesn't just mean reaching out to software developers, according to McIrvine. "Corporate management needs to be aware that their projects are going to have to take security into account, and that might increase the cost or the time for the project. But the important thing is that they are aware of the need to build that security in."

In other words, this is not one of those projects that just heaps more work on the little guy -- this is going to require work from the big cats, too.

McIrvine said the idea for the council grew out of informal quarterly meetings that IBM has had with customers and business technology partners.

"A lot of us felt like we were dealing with pieces of the [data security] problem, but not really tackling the overall issue," he explained. "That's how this idea came about."

Aside from the blueprint, which will provide a nice tool for planning, several customer members of the council have volunteered to run pilot projects to test new data governance and security technologies in a proof-is-in-the-pudding way.

"That will really show us what works and what doesn't in a real-world environment," McIrvine said.

It's way too early to deem this idea a success, but you can't say these companies didn't think outside the box. Or maybe it's not really thinking outside the box. Maybe it's just thinking -- period.