Why Technology Isn't The Answer To Better Security

You've beefed up your IT security arsenal, and you're focused on compliance. But you're still vulnerable. Here's why.

1 2 Page 2
Page 2 of 2

Stanley wants to categorize every file in the enterprise by three variables: owner, business value and risk level. The government has "top secret," "secret" and "confidential" ratings, but Continental's designations will be more granular and dynamic, using tiers and subsets of tiers. Thinking this way vaults Continental ahead of most companies. Just 24 percent report that classifying the business value of data is part of their security policies. While 68 percent classify their data according to risk level, at least periodically, 30 percent don't ever do it.

The complexity of such a project explains the low numbers, Lobel says. "Doing this project is a lot of effort, and unless there's a regulatory need for it, many don't do it."

Stanley expects the project to take three or four years. "Anything that keeps planes in the air and money coming through is Tier 1," Stanley explains. That would include information about crew scheduling, and cargo and fuel needs, as well as credit card processing information. Tier 2 or 3 is still important to protect, but not critical to keeping planes aloft, for example, providing employees access to their 401(k) accounts.

Security technology and procedures will correspond to the risk and tier level in which a given piece of data falls, as defined by the data owner. Tier 1 might mandate twice-a-day backups and two-factor user authentication, he says. "I can expend my resources more appropriately to our data's value and therefore save the company money," he says. "Stop spending $10 to protect $5 worth of data." Music to an airline CEO's ears, no doubt.

Which Brings Us Back to Money

With security budgets averaging $1.7 million, an optimistic 44 percent of those surveyed said their information security spending would increase this year, while 4 percent expected a decrease. Where will the money go? We see glimmers of hope. Top priorities in the coming year include hiring information security consultants and hiring a chief information security officer. Respondents also plan to develop security procedures for handheld devices and create an identity management strategy. They expect to invest in technologies, including biometrics, to tighten access to sensitive data, as well as in data-leakage prevention and security event correlation tools to start analyzing what works and what doesn't on which kinds of security problems.

These steps, Lobel says, will get companies closer to a comprehensive security strategy. Already, he notes, 40 percent of organizations use security as a marketing point, usually soliciting business on the grounds that they protect customer data better than their rivals. "But it's only a competitive advantage if it works, if it's good security."

Related:

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Discover what your peers are reading. Sign up for our FREE email newsletters today!