‘It’s the data, stupid!’ – CIOs need to get real about IT security


9 Mar 2009

CIOs who spend fortunes securing the perimeters of their organisation are wasting their time and should focus on the data itself, the chief executive of IT security giant Websense told siliconrepublic.com.

Gene Hodges is CEO of US$350m turnover Websense, and was previously president of McAfee.

Websense is a global leader in the field of web gateway software that enables web filtering, email security and data-loss prevention for businesses around the world.

Hodges, who was in Dublin recently, said that with the onset of cloud computing, the focus of CIOs today should be on making technology a more centralised IT environment.

“The cloud is the biggest trend in IT, along with virtualisation. We need to be analysing how we protect a more centralised computing environment.

“From a security perspective and protecting against when the bad guys attack, the focus should be on protecting the data rather than the infrastructure.

“For 12 of the past 15 years, CIOs have spent their money protecting the infrastructure element. That was fair enough because the hackers were going after the networks with worms and spam.

“But, about four years ago, the focus of hackers’ attacks started to shift from mischief-making to stealing information in order to monetise. This necessitates a shift in the focus of security policy and technology to protect the data, not just the wires and the device. This would be much easier in a centralised IT environment.”

Hodges acknowledged that many of the recent security scandals, both at home and abroad, have been around the loss of devices such as laptops, BlackBerrys and USB keys. The real panic hasn’t been the devices themselves, but the data they contain.

“Firms need to change IT policy to focus on protecting the data, as opposed to the infrastructure. In recessionary times, this can be a godsend because it simplifies and removes cost.

“When you focus on data as the core asset, you can begin to be more selective about what you want to protect. The truth is, most corporate data is not truly critical. You lose a file, it can be backed up. Whereas if that file were a press release with quarterly results, and the file got taken and released, the damage to the company would be immense in terms of disclosure and insider-trading ramifications.

“Our advice to business managers is to have a serious chat with the CIO or IT manager about what data you want to protect. Then start to marshal your resources to provide high assurance that the essential information can be protected.”

According to Hodges, the security technology of today allows IT managers and users to put the right privileges on who can touch a document; if it is emailed, whether it has to be encrypted before it is sent, and what physical servers it can sit on and what outside locations it can go to.

“CIOs should spend less aggressively in infrastructure protection but more in data-oriented protection.

“It’s about the data, stupid! Firm,s especially in these lean times, should understand the futility of ubiquitous perimeter protection. It’s just too complicated in a changing world.

“What’s needed is something that can protect data from a policy point of view, that’s what IT needs to deliver on,” he concluded.

By John Kennedy