The importance of protecting your business from security threats is clear. But how to do it well often remains a vexing problem. Major IT vendors have faced this challenge like everyone else — but with a twist. As providers of security technology and IT systems vulnerable to threats, they've had to stay a step ahead of everyone else. That's why CIOs of technology stalwarts IBM and Intel and security technology provider Symantec have taken on security management as one of their key functions. All three companies have shared their lessons learned with InfoWorld.
These CIOs have had to do more than take on the usual responsibility for driving their respective companies' efforts to defend their infrastructure, employees, and corporate reputations from any fallout related to data breaches or compliance violations. They've also had to be the in-house beta testers for a generation of new technologies their organisations hope to sell to customers. This balancing act demands more of their time and energy now than at any other point in their careers, the executives say.
Security affects all of it
"When I look at the risks here at Symantec, I know that we have to maintain a multilayered approach to protecting our IT assets: our ERP data, intellectual property, customer data, and personnel data. Managing the risk around all of that is a significant responsibility for me and my team," says David Thompson, CIO at Symantec.
"We have multiple large pools of information that are critical to our organisation, and we're seeing more of that data move further toward the boundaries, toward the end points," he says. "My job is getting more data into the hands of our business units, but that creates a lot of risk in terms of where it goes, who has access to it, and what they are using it for, along with the risk of it being exposed."
Even Thompson, who ranks his ability to "eat Symantec's own cooking" — or use all of its security and compliance technologies — as a huge advantage compared to CIOs working in other firms, admits that trying to keep up with all of the threats and regulations, as well as all the new products, is an effort that can become all-consuming.
The key to staying ahead of the attacks and laws, while not spending too much of his time focused on security, is delegating to a strong team of experts and prioritising which projects to tackle based on their criticality to Symantec's business.
"As a business leader and IT executive, if you take the view of trying to fix everything, you'll never sleep a wink. You have to assess risks, and just as we'll never be able to completely secure our borders in the United States, you have to prioritise efforts to reduce risk as much as possible," Thompson says.
"CIOs themselves must have a team that can help carry a good portion of the load so that they can stay focused on business relationships, clearing roadblocks, and being the public face of that team."
Among the most critical roles that any CIO or technology executive must play in aiding the efforts of their security staff is to drive high-level assessments of risk and figure out how their companies must strategise to complete projects that address the most significant threats and compliance regulations, Thompson says. The most effective strategy is to determine which projects most readily address specific threats or government requirements and focus on them, he says. Otherwise, a broad-brush approach to security will lead to unnecessary complexity and eat up all of your time. Thompson notes that even with the latest security technology available to him, the security strategy is more important than just having good security tools.
At IBM, CIO Mark Hennessy also stresses the importance of delegating to his team and of conducting near-constant risk assessment. But even with that delegation, security remains a top focus for him, he says.
"The world is changing, and there are a lot of new realities around security to address. Fostering stronger security across the board is a core tenet, as it helps to bring more value to everything we do," he says. "We want to make our employees more comfortable and more productive, and drive greater success for the clients we serve, so it's something we constantly need to remain focused on," he adds.
The security-vs-complexity challenge
Malcolm Harkins, general manager of Intel's Information Risk and Security unit, works directly with the chip giant's CIO Douglas Busch on issues of internal operational security and compliance. Harkins said that one of the biggest challenges that organisations such as Intel face is the process of improving security in the face of rapidly advancing IT complexity.
On top of that, ongoing efforts to lower the total cost of securing a company the size of Intel — while keeping up with emerging threats and regulations — is driving the firm to seek greater standardisation in some areas, and to integrate larger groups of technologies in others.
"We currently have over 40 individual security software and hardware providers that we are doing business with, and that's a lot of different pieces to have to integrate," Harkins says. "It's almost crazy from an IT standpoint, so we want to employ greater levels of standardisation to help us with issues of consistency; we'll always have a very heterogeneous environment, but we really need a more consistent set of tools. The more standardisation you have, the easier it is to make things more secure."
One of the most crucial steps any company can take in terms of improving its security is driving understanding of the attacks and laws across their highest executive ranks and ensuring that leaders who become involved in matters of security maintain realistic goals and objectives, Harkins says.
But that does not mean being heavy-handed in terms of the security levels demand, he notes. C-level executives who take an extremely conservative approach and desire to aggressively lock down all their IT systems may in fact do more harm than good, he says.
"Some companies believe that by severely limiting the use of technologies that pose risks, they are improving their defenses, but the truth is they may just be creating a false sense of security," Harkins says.
"In reality, they are limiting the ability of their business to operate effectively and are increasing risk by creating barriers and policies that can't be enforced practically," he says. In IT, "you have to work with [the C-suite] to change their approach from one that is focused on responding to fears to one that is focused on key controls that solve real problems. You have to have executive buy-in, but by taking the wider approach of considering legal, compliance, and security issues together, you will end up with stronger protection, lower costs and less complexity."