RealTime IT News

Report: "Hyper-Extended" Enterprises at Risk

A new report called "Charting the Path: Enabling the 'Hyper-Extended' Enterprise in the Face of Unprecedented Risk -- Recommendations from Global 1000 Executives" says that IT departments can manage the new risks they face if they confront underlying issues.

The report is published by the Security for Business Innovation Council unit of RSA, the security division of EMC (NYSE: EMC). The survey incorporates advice from 10 panel members, each representing a leading company in a major EMC vertical: JP Morgan Chase, Motorola, EMC's own CSO, eBay, CSO Confidential, Time Warner, Genzyme, Diageo, Cigna, and Novartis.

"The ability to define the perimeter of the enterprise has now firmly disappeared. That's both in a technical and business sense, with the level of third-party workers, outsourcing, supply chain, and 'in the cloud' services. All of these are making it much harder to define where one enterprise ends and another begins," Dr. Paul Dorey, director of security consultancy CSO Confidential said in the report.

Security must be part of all decisions. "The hyper-extended enterprise is a disaster for security personnel if they don't get a chance to weigh in up front," Art Coviello, president of RSA, told InternetNews.com.

The news comes as all indicators show that companies are having difficulties with the basics of IT management, from VPN management to IDS deployment. In spite of rising risks, business networks have too many security holes.

Companies are eager to adopt new technologies to save money, but they need to be careful, Coviello added. "There is a gap between the adoption of new technology and the ability to secure it, but just because we'll never have perfect security, that doesn't mean we should stick our heads in the send and hope for the best," he said.

Teams will need good training, even within constrained budgets, he added. "Everyone on the IT team should have a basic idea of best practices. They think they're saving money or being faster to market when they rush it but they'll pay more money later to retrofit security in than they would have had it been a part of the project from its inception."

The report's seven recommendations are all vague but are buttressed with specific examples. For example, the report tells IT departments to protect data, not its container and to adopt advanced monitoring techniques. That's because data moves, and companies don't always know where it is.

Finally, the report recommends that companies participate in the creation of standards and share risk intelligence.

All of this won't be easy. "Why are the risks increasing? Without a doubt, it is the pace of change in the environment. You can wake up tomorrow and a risk that wasn't there yesterday is there today. There is no period of development; there is nothing necessarily on the horizon that will let you say, 'I can see what's coming,'" warned Dr. Claudia Natanson, Chief Information & Security Officer for Diageo.

Coviello said that compliance can be a security executive's ally, but warned that executives must do more than just compliance. "It's okay to use it to get done what should get done, but security officers should not rely on it as a checklist of what they need to do," he said.