Security experts pitch 'culture of data'

The companies that are having the most success in advancing their data security efforts today are those that are finding a way to protect sensitive information without getting in the way of business users, industry experts maintain.

In crafting their data-handling policies and selecting from the multitude of security technologies at their fingertips, those businesses that can foster both ready access to information, along with strong defenses for end-users and IT systems, are making progress the fastest, claim leading vendors and service providers.

After years of "throwing technologies" at the data security problem while juggling complex business demands along with external threats and regulatory compliance audits, some businesses are finally discovering that they can simplify the entire process by taking a more comprehensive approach to tailoring their programs to the manner in which their users access, handle, and share information.

Even within IT giants like IBM, the struggle to balance security issues with emerging business demands to work with information in new ways hasn't always been approached in this manner, said Julie Donahue, vice president of the security and privacy service in the company's Global Technology Services group.

Only through experience and ongoing efforts to constantly rationalize security policies with business demands has the massive firm been able to get a grip on its own data-handling needs, she said.

"Customers need to step back and see what their own culture wants. If we locked down everything within IBM, it would be so difficult to manage that we would have a serious management problem, so you have to ask questions around culture before you begin thinking of enforcement," said Donahue.

"You have to assess the risk environment and think of this as a holistic problem in terms of how you place bets and need to manage pools of risk, even though that for most CIOs it often feels like you have to spend your time going day-to-day dealing with the crisis of the moment," she said. "You really need to look at where to make the right investments, where to do enforcement, and where to monitor to have a truly strategic view."

Donahue said that when IBM was building its security practice roughly 16 months ago, it found that customers were spending as much as 10 percent of their IT budgets dealing with the maintenance and complexity of their data security systems.

The only way to reduce the data security management headache is to design an internal framework for managing infrastructure to ensure that investments are being made wisely, she said.

In many cases, those companies that are succeeding in that regard are treating their data assets just as they would treat cold, hard cash, the expert maintains.

"Companies need to protect their vast ecosystem of data like it is a monetary system, they really have to think about it that way," said Donahue. "It can't be the data center's problem or the network administrator's responsibility alone to protect its security; it has to be everyone's responsibility throughout the entire company."

IBM learns about security leaks the hard way

As evidence of the types of things that can happen to undermine even a comprehensive security game plan, Donahue pointed to IBM's loss of two backup tapes that contained sensitive information about former employees earlier this year.