Among the most critical roles that any CIO or technology executive must play in aiding the efforts of their security staff is to drive high-level assessments of risk and figure out how their companies must strategize to complete projects that address the most significant threats and compliance regulations, Thompson contended. The most effective strategy, he noted, is to determine which projects most readily address specific threats or government requirements and focus on them, he said. Otherwise, a broad-brush approach to security will lead to unnecessary complexity and eat up all of your time. Thompson also noted that even with the latest security technology available to him, the security strategy is more important than just having good security tools.
At IBM, CIO Mark Hennessy also stressed the importance of delegating to his team of security experts and of conducting near-constant risk assessment. But even with that delegation, security remains a top focus for him, he said. "The world is changing, and there are a lot of new realities around security to address. Fostering stronger security across the board is a core tenet, as it helps to bring more value to everything we do," he said. "We want to make our employees more comfortable and more productive, and drive greater success for the clients we serve, so it's something we constantly need to remain focused on," he added.
The security-vs.-complexity challenge
Malcolm Harkins, general manager of Intel's Information Risk and Security unit, works directly with the chip giant's CIO John Johnson on issues of internal operational security and compliance. Harkins said that one of the biggest challenges that organizations such as Intel face is the process of improving security in the face of rapidly advancing IT complexity.
On top of that, ongoing efforts to lower the total cost of securing a company the size of Intel -- while keeping up with emerging threats and regulations -- is driving the firm to seek greater standardization in some areas, and to integrate larger groups of technologies in others. "We currently have over 40 individual security software and hardware providers that we are doing business with, and that's a lot of different pieces to have to integrate," Harkins said. "It's almost crazy from an IT standpoint, so we want to employ greater levels of standardization to help us with issues of consistency; we'll always have a very heterogeneous environment, but we really need a more consistent set of tools. The more standardization you have, the easier it is to make things more secure."
One of the most crucial steps any company can take in terms of improving its security is driving understanding of the attacks and laws across their highest executive ranks and ensuring that leaders who become involved in matters of security maintain realistic goals and objectives, Harkins said.
But that does not mean being heavy-handed in terms of the security levels demand, he noted. C-level executives who take an extremely conservative approach and desire to aggressively lock down all their IT systems may in fact do more harm than good, he said. "Some companies believe that by severely limiting the use of technologies that pose risks, they are improving their defenses, but the truth is they may just be creating a false sense of security," Harkins said.
"In reality, they are limiting the ability of their business to operate effectively and are increasing risk by creating barriers and policies that can't be enforced practically," he said. In IT, "you have to work with [C-suite] to change their approach from one that is focused on responding to fears to one that is focused on key controls that solve real problems. You have to have executive buy-in, but by taking the wider approach of considering legal, compliance, and security issues together, you will end up with stronger protection, lower costs, and less complexity."
The original version of this story disclosed a different name as Intel's CIO but has now been corrected. InfoWorld regrets the error.