And so this column begins as a result of an interview with Warren Axelrod, one of the editors and authors of “Enterprise Information Security and Privacy.” And, after all, how could I resist a book with the first part named, “Trends” and an author who quotes Marshall McLuhan throughout his text? I love McLuhan for his “Driving while looking in the rear view mirror” metaphor. Or in the case of my daughters, observing how they actually drive.
The timing and tie-in to our Fourth Innovations and Technology Issue is prescient as well. Dr. Axelrod speaks of what he knows and while he has worked in information technology, information security and privacy roles within large financial institutions including Pershing, a subsidiary of Bank of New York Mellon, U.S. Trust, formerly owned by Charles Schwab and now part of Bank of America, he believes that corporate security is best left to professionals trained in that area. In his experience, IT and executive management strongly underestimate the insider threat, especially in economically difficult times, like now. “Enterprise information and physical security are very good at tracking outside behavior and threats as well as responding to events. But many insider thefts are never discovered by the organization,” explains Dr. Axelrod.
In one case, he used monitoring software to track e-mail being sent out of the company by departments managing “sensitive” (personal, financial, IP related) information. He discovered a significant number of events where the employee was violating policy and/or compliance regulations and the organization was previously unaware. While about 90 percent of the violations were not malicious, the other 10 percent by employees planning to leave were (often for the competition).
The FBI estimates that more than $600 billion in intellectual property is stolen from U.S. organizations each year. And unless security leaders step up to communicate, manage risks and kill the silos, then the problems will grow worse. So, why does Dr. Axelrod prefer this role not to be in IT? “The problem with security being within IT is that CIOs usually put a priority on new features and capabilities for the business people. So maintenance and operational functions such as security are put off until something bad happens,” shares Dr. Axelrod. “Separate enterprise security departments are uniquely created to focus on security issues. Further, many IT people have network engineering and administrative backgrounds and are excellent at security administration and ops. But they do not have business and risk expertise or experience to apply to the threats.”
Among the tools Dr. Axelrod has successfully implemented to track behavior and prevent IP theft is Intellitactics’ security information and event management product. Noting that threat behaviors and events are difficult to detect unless you can see activity across platforms and devices, the Intellitactics approach pulls all the activity together and analyzes it. “Due to the huge dependence on business partners, especially large organizations depending on smaller ones you also need to monitor and be alerted to your partner’s problems to avoid exposure. The only way to economically do this is through a third party service.” (The supply chain that the Security Executive Council and Security Magazine call The Security 50,000.)
Currently, Dr. Axelrod is serving on the R&D Committee of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security. The council is focused on R&D to identify what the threats are and invest in ways to mitigate them. “You don’t know what you don’t know,” shares Dr. Axelrod. “Highly improbable, catastrophic events are going to happen. We don’t know what or when, but they will. The work and planning we do show those blind spots and improves our business resilience.” We look forward to his participation at the Security 500 Conference (see conference information below).
Intellitactics is among the many Innovations and Technologies that have changed the landscape of security strategy and management during the past decades. In this year’s special report, Bill Zalud has outdone himself! In Michael Dertouzos book, “Human Centric Computing: The Unfinished Revolution,” he writes: If our cars were as difficult to drive as our computers are to operate, they would never leave the garage. Yet, every day we put up with infuriating complications and incomprehensible error messages that spew forth from our technology. Were Dertouzos not the director of MIT’s computer lab at the time he wrote the book, this opening salvo might not have such sting.
If it reminds you of your security systems, trials and tribulations, then read on because help is here. Bill brings you insightful pointers to what’s coming over the horizon in emerging innovations and technologies from computer, communications and homeland security fields as well as a “smart grid” preview of what’s rolling out of security industry and law enforcement R&D labs.
The cover story identifies game changers, niche advances and ways enterprise security leaders can design diverse technologies, add a super-dose of application-centric software, and meet current challenges in addition to future proofing.
The bottom line: Products, systems and services are now more likely designed with the end-users business in mind. Enjoy!
The Security 500 Conference will be held on November 11 at The Roosevelt Hotel in New York City. For details visit www.sec500.com. All Security 500 members receive a complimentary registration to the conference. Please call 440-285-4444 for more information.