IT Security Game Becomes a Race Against Time

By Michael Vizard  |  Print this article Print
IT security race

Customers are often astonished by the degree to which malware has penetrated their firms, and that is resulting in a rush to add better security.

As a result, there's a lot more emphasis on finding ways for a limited number of IT security professionals to work smarter at a time when the number of such professionals is in short supply, said Bill Dorney, security solutions director at CipherTechs, a solution provider that specializes in IT security.

"There's definitely a mind shift going on," Dorney said. "It's no longer just about AV software and the perimeter; it's about layering a security defense around the end points."

Customers are often astonished by the degree to which malware has penetrated their organizations—which is resulting in something of an arms race to add better security, Dorney said.

Security strategies as applied to endpoints, however, are rapidly evolving because each endpoint has a different set of security requirements based on the sensitivity of the data it accesses.

Almost every security issue comes down to a failure to deploy patches promptly and test for vulnerabilities, said Rodolphe Simonetti, managing director for governance, risk and compliance consulting services for the Professional Services Organization within Verizon.

"All the organizations involved in recent high-profile security breaches failed to test their security," Simonetti said. "We see companies drop the ball all the time."

The primary issue, Simonetti said, is that companies treat IT security testing and compliance as an event, rather than an ongoing process. They may be compliant and secure at the time a test is conducted. But as the IT environment changes, they fail to retest their IT security. Given the rate at which those changes occur, most IT organizations are likely to be vulnerable to one type of attack or another at any given moment.

The challenge is that no one can say for sure whether a security breach will emanate from inside or outside an organization, or what degree of access to sensitive data might result.

A recent survey of 800 business managers and IT professionals from Vormetric, a provider of encryption software, found that 44 percent of respondents admit they had experienced a data breach or failed a compliance audit in the last year.

"It's much more common to have an employee's credential compromised or have an employee go rogue," said Sol Cates, chief security officer for Vormetric. "Organizations really need to think through how they are protecting their crown jewels."

Worse yet, a large percentage of companies don't have an incident-response process in place to manage breaches that are now almost inevitable, said Mike Tierney, chief operating officer of SpectorSoft, a provider of employee-monitoring software.

"The biggest threat comes from the external hacker that has found a way to compromise a privileged account," Tierney said. "Too many companies, however, forget that trust and hope are not all that great in the spectrum of security solutions they can adopt."

There is an opportunity for solution providers with security expertise not only to implement and test customers' security controls, but just as importantly, create the incident-response plan needed to contain security breaches that seem to be inevitable.

 Seizing that IT opportunity, however, may require them to rush in where even the angels fear to tread.

Michael Vizard has been covering IT issues in the enterprise for 25 years as an editor and columnist for publications such as InfoWorld, eWEEK, Baseline, CRN, ComputerWorld and Digital Review.