While monitoring and patching of systems is essential to any security strategy, many CIOs and IT security professionals approach the task backward, says Schmidt. “The discussion always seems to be, Tell me where the threat is and I’ll secure that system,” Schmidt says. “You need to test systems for vulnerabilities before deploying, have a plan in place to patch them, and audit to see who’s doing what and where data is.”

Turning the traditional approach to security on its head can help IT organizations prioritize spending to protect critical IP. “You need to look at the mission of the organization from the top down as opposed to the bottom up,” Saydjari explains.

Defense in Depth
Without a clear idea about which IP assets most need protecting, CIOs may put their security dollars in the wrong places. “Most large organizations have all done basic blocking and tackling—firewalls, antivirus products, et cetera,” says Amit Yoran, CEO of network forensics company NetWitness and former director of the Department of Homeland Security’s National Cyber Security Division. But as with cybercrime generally, perimeter defense goes only so far. Companies need a cyberdefense strategy that is multilayered with different types of protection at each layer.

One strategy, called “defense in depth,” derives from the military technique for slowing down rather than trying to stop the advance of an adversary. The model applies when the question is not if, but when, hackers will break in. “If you reinforce one area, [attackers] will look to another,” says James Lewis, director and senior fellow with the Center for Strategic and International Studies. “The job is to reduce the chance that they’ll be able to get in.”

On the network, defense in depth means traditional perimeter security is supplemented with advanced intrusion detection systems, segmented networks with tighter security around some information, demilitarized zones for public data and security audits. But a good defense-in-depth strategy takes its multilayered approach to people, processes and technology as well.

The approach enables IT security teams to get beyond dealing with hackers as if playing a game of whack-a-mole and treat the problem more like a chess game, says Jim DuBois, general manager of information security and infrastructure services security for Microsoft. DuBois has worked at Microsoft for 14 years and lived through a public incident in 2000 when hackers, who The Wall Street Journal reported were traced to Russia, allegedly accessed some of Microsoft’s key applications and source code. (DuBois was not part of the security group at the time. A Microsoft spokesperson argues that the incident was not portrayed accurately in the media, but that it reinforced the importance of security controls and helped drive adoption of several projects, including smart cards for remote access and a public key infrastructure—which allows for the secure and private exchange of data in unsecure environments.)