The rapid ascent of social networking, the explosion in mobile devices and technologies, and the growing spectre of cyber terrorists operating like organized crime are key factors changing the face of enterprise security in profound ways. For CIOs, security challenges naturally lead to the question of balance. Just how do you balance the competing demands of securing enterprise data with the requirements to give users the ‘instant’ access to data they demand any time, any place and from just about any device?
“Threats [today] are much more sophisticated and much more persistent,” says Woody Hall, CIO of General Dynamics Information Technology. Standby defenses, like firewalls, just cannot keep the threats at bay. As Hall states, “They’re going to get in. So it’s not if, it’s when.”
As a result of this new security reality, some CIOs are shifting from defensive to more and ore offensive security measures. To some, this has meant turning increasingly to security partners for help. As Joe Spagnoletti, CIO of Campbell Soup Company, articulates, “It would be impossible for a company like mine to invest the kind of money to continue to innovate security techniques and capabilities to prevent all those different types of threats that are out there.”
Beware the social ‘net
Spagnoletti has further identified social networking as a new frontier and concern for enterprise security. It is, as he calls it, the “inside out” threat. Employees – ‘insiders’ – leaking information ‘out’ onto social networking sites are a major threat to an enterprise’s security. Social networking has the potential for intentional or unintentional loss or leaking of information that could impact a company’s brand or reputation. Yet as shown by CSO Magazine’s 2011 Global State of Information Security Survey, over three quarters of organizations polled do not even have social networking written into their security strategies. Thus CIOs should view security as no longer just about monitoring threats but also about educating employees on protocols for sharing information.
The growing sophistication of threats and the new frontier of social networking are some of the biggest changes to information security in recent years. Yet the mounting security in response to these challenges cannot hamper an enterprise’s agility. The best option to help CIOs balance agility and security is to have a risk mitigation scheme in place. CIOs must also utilize education. Spagnoletti stresses the importance of providing “education and skills [to] help people (employees) understand their responsibilities in using information correctly.”
CIO Enterprise Security Action
According to the 2011 State of the CIO Survey, improving security and risk management is a top management priority for 40% of CIOs. Meanwhile the 2011 Global State of Information Security Survey found only 65% of respondents have an overall security strategy in place, 53% utilize vulnerability scanning tools, and 45% have wireless security standards and procedures. To help CIOs improve enterprise security, here are some common sense security action items.
- 1. Write social networking sites and other Web 2.0 applications into your overall security strategy.
- 2. Educate your employees on appropriate and inappropriate information sharing protocols.
- 3. Turn to trusted partner to help monitor security risks.
- 4. Implement a risk mitigation scheme.
- 5. Incorporate offensive measures, such as monitoring for changes in usage patterns in order to swiftly respond to potential security breaches.