Policing business partners is a monster challenge on its own. "One of the hardest areas to enforce your own information risk management programs, no matter how sound, is with third parties; even when companies can effectively map out all their internal business processes and identify who controls what,” Suther says. “It's still very difficult to get information about processes employed by third parties that may be touching the data."
Despite all the hurdles, enterprise customers are moving forward and discovering tools and processes that will help them improve data security. Gus Tepper, vice president of software development at real estate financial services provider First American, says that incremental progress is important, even if it does not solve every data security headache overnight.
One of the first steps, says Tepper, is to get a better grip on which workers can access which repositories of sensitive information and to automate the process of granting and removing entitlements using more intelligent tools. This has proven vital in a company with close to 40,000 employees, many of whom tend to shift responsibilities on a regular basis.
"We think that we've done a good job of making sure that data is secure from this perspective of access. Where most failures occur is around human process," Tepper says. "To the extent that you can automate and minimize threats via controlling access, this is some of the most important work I think any company can do.”
First American installed encryption technology on all of its laptops to prevent someone from gaining data access if the machines are lost or stolen. It is also employing similar tools to obscure data stored on tape drives in offsite locations, and the company has bought into entitlement management software made by Securent to help its data governance efforts.
"When you're in a large company like ours with hundreds of applications and people moving between divisions, there is a lot of cleaning up that has to happen, as it’s easy to lose track of access privileges without a tool that gives you centralized management," Tepper says. "As far as the outside world having access, we really want to make sure that doesn't happen, and we have a lot of security technologies in place to address that. But by getting a better handle on internal access and all the processes needed to allow for that, we think our standing has improved significantly."
The company also hired its first chief information security officer in 2006 to give data protection a more prominent role in the overall management of its operations, he says.
Many large companies wish that they could start from scratch as they rearchitect their data protection strategies, but even those who can afford to concede that the nature of protecting the information they gather is daunting.
Marty Hodgett, chief information officer at Orchard Supply Hardware, a California-based retail chain with headquarters in San Jose, has been tasked with introducing IT into the company, which is hoping to grow into a national presence in the next few years
As the hardware chain brings workstations and new data harvesting systems into its operations -- which Hodgett classifies as lagging in the use of most modern IT equipment -- it will be an ongoing balancing act to empower the company with more data about its customers, employees, and suppliers while keeping a lid on sensitive information, he says.