Making certain that enterprise data is secure against breach or even outright theft is becoming increasingly difficult as IT relies on externally hosted applications. The CIO's focus is moving from internal development to perimeter security, application provider compliance, and integration.
I asked Jan Manning, CIO and corporate vice president at SafeNet, to weigh in on the topic.
The Enterprisers Project (TEP): How do CIO Executives deal with, and who is responsible for, making certain that external systems are secure?
Manning: The best way to secure the environment is to ensure security is everyone's responsibility, make sure assets are protected, and utilize a combination of tools to mitigate risk. First, annual security awareness training and certification is required for all employees so they are aware of the latest threats and actions they can take to prevent breaches from occurring. Securing the applications starts with the developers who build our applications or who are implementing a SaaS alternative. The developers must code with security in mind — best practices are a must!
Encryption is the most important security tool to protect our data and IP. High value data in databases and laptops need to be encrypted. Two-factor authentication along with single sign-on ensures the identity of the user. If a SaaS alternative or third-party vendor is used, we must validate that the application and data is secured in the same manner as well as vetting their security against the same security standards we use internally.
The infrastructure team is responsible for perimeter and server security. The utilization of traditional security tools i.e. firewall, anti-virus, IDS and IPS systems need to be combined with the evaluation and/or use of newer tools.
The security team monitors and is alerted for any possible infiltration and provides a continuous evaluation of the network both internally and externally to measure any gaps which may exist in our security posture.
TEP: How does the CIO make certain the systems they contract don't jeopardize their enterprise and their own career?
Manning: A strong business alliance is imperative to selecting systems that meet both the business functionality needs of the organization while ensuring the security of the enterprise. IT's role should be to assist the business by:
- Working with them to decide if and how functional gaps can be overcome and what additional resources may be needed to close them
- Assessing the selected systems scalability
- Verifying the vendor is reputable and has sound references
- Verifying that the selected vendor's security standards and methodology are thorough and, at a minimum, meet our own internal standards
- Working with legal and the business to ensure contract and implementation details are defined thoroughly
- Assisting in negotiating product and implementation costs including both capital investments and ongoing expenses
- Providing strong project management oversight and support
- Providing a standardized project methodology and resources to implement a thoroughly tested and functioning system that meet the business needs