PALM DESERT, CALIFORNIA (03/09/2004) - A panel of IT managers told attendees at Computerworld's Premier 100 IT Leaders Conference Tuesday that the federal government has had some positive impact on corporate security, mostly via regulation and legislation, such as the Health Insurance Portability and Accountability Act of 1996.
"I will tell you that your health data is significantly more secure today than it was yesterday," said Linda Reino, CIO at Universal Health Services Inc. in King of Prussia, Pa.
Reino added that government agencies such as the U.S. Food and Drug Administration have helped her strong-arm reluctant vendors into making their products more secure.
New, wide-ranging government regulations helped push The Guardian Life Insurance Company of America to establish a "holistic approach" to risk management, said Marc S. Sokol, chief security officer. The New York-based company's new computer security officer has responsibility for IT security but also oversees physical security, disaster recovery and other risk management functions, he said.
Panelists said it is sometimes hard for IT managers to strike a balance between customer service and security. "You want to be an enabler, you don't want to always say no," said Al Brusewitz, chief information security officer and CIO for the County of Los Angeles.
They agreed that employee education -- while "not sexy," as one put it -- is really the lynchpin for security. William Farrow, CIO at the Chicago Board of Trade, said a woman cleaning a conference room there became suspicious of a laptop left running overnight. She reported it to security, and it was later discovered that someone had left it on running port-scanning software aimed at the corporate network.
Asked how the Board of Trade had gotten even low-level employees to be so savvy about security, Farrow answered, "We scare people." Adherence to security principles is part of the employee contract, he said.
Senior managers have to be educated, too, but they have to be approached in ways they can relate to, Sokol said. "We don't talk about port scans or buffer overflows," he said. "We talk about information disclosure."
Reino offered this advice on employee education: "Make it a part of daily conversation in every project meeting. We make it clear that every project has responsibility for security. You have to make it part of day-to-day operations."
She also said it's important to publicize employee-caused security incidents internally, not necessarily naming the employee who made a mistake, but doing it in a way that others learn from the error.
Panelists singled out wireless and mobile computing as sources of special concern but said limiting their use is no solution. Modern medicine demands that hospital workers carry wireless devices, Reino said, but wireless networks must be protected by encryption and intrusion-detection software.
Rob Clyde, chief technology officer at Symantec Corp., said that strong encryption for wireless is necessary but not sufficient. "It's not enough for worms and viruses; worms can crawl right through."
Several panelists said they equip employees' home and mobile PCs with the same security software, such as antivirus software, that is used in the office. "We mandate the antivirus product you use," Reino said. "We can't live with your decision."