A new report called “Charting the Path: Enabling the
‘Hyper-Extended’ Enterprise in the Face of Unprecedented Risk —
Recommendations from Global 1000 Executives” says that IT departments can
manage the new risks they face if they confront underlying issues.
The report is published by the Security for Business Innovation Council unit of RSA,
the security division of EMC (NYSE: EMC). The survey incorporates advice from 10 panel members, each representing a leading company in a major EMC vertical: JP Morgan Chase, Motorola, EMC’s own CSO, eBay, CSO Confidential, Time Warner, Genzyme, Diageo, Cigna, and Novartis.
“The ability to define the perimeter of the enterprise has now firmly
disappeared. That’s both in a technical and business sense, with the level
of third-party workers, outsourcing, supply chain, and ‘in the cloud’
services. All of these are making it much harder to define where one
enterprise ends and another begins,” Dr. Paul Dorey, director of security
consultancy CSO Confidential said in the report.
Security must be part of all decisions. “The hyper-extended enterprise is
a disaster for security personnel if they don’t get a chance to weigh in up
front,” Art Coviello, president of RSA, told InternetNews.com.
The news comes as all indicators show that companies are having
difficulties with the basics of IT management, from VPN management to IDS
deployment. In spite of rising risks, business networks have too many security holes.
Companies are eager to adopt new technologies to save money, but they
need to be careful, Coviello added. “There is a gap between the adoption of new
technology and the ability to secure it, but just because we’ll never have
perfect security, that doesn’t mean we should stick our heads in the send
and hope for the best,” he said.
Teams will need good training, even within constrained budgets, he added.
“Everyone on the IT team should have a basic idea of best practices. They
think they’re saving money or being faster to market when they rush it but
they’ll pay more money later to retrofit security in than they would have
had it been a part of the project from its inception.”
The report’s seven recommendations are all vague but are buttressed with
specific examples. For example, the report tells IT departments to protect data, not its container and to adopt advanced monitoring techniques. That’s because data moves, and
companies don’t always know where it is.
Finally, the report recommends that companies participate in the creation
of standards and share risk intelligence.
All of this won’t be easy. “Why are the risks increasing? Without a
doubt, it is the pace of change in the environment. You can wake up tomorrow
and a risk that wasn’t there yesterday is there today. There is no period of
development; there is nothing necessarily on the horizon that will let you
say, ‘I can see what’s coming,'” warned Dr. Claudia Natanson, Chief
Information & Security Officer for Diageo.
Coviello said that compliance can be a security executive’s ally, but
warned that executives must do more than just compliance. “It’s okay to use
it to get done what should get done, but security officers should not rely
on it as a checklist of what they need to do,” he said.