By Tim Greene
Corporate security experts face a crisis as they are caught between
regulators demanding better accountability for data security and the
need to keep businesses up and running with the help of many business
partners, an American Express security executive told Interop New York
As more data is housed at least temporarily outside corporate data
centers, it becomes more difficult to comply with industry and
government regulations, according to Steven Suther, director of
information security management for American Express.
"Tell me where your data is and how it is being secured," regulators
want to know, he says. "So we need to define at what point is
information outside our domain and how is it being protected."
But businesses have very little control over how partners with whom
they must share data protect it, he says. Amex asks its vendors to
self-assess their security and if it comes up short, Amex will conduct
on-site visits to assess the security in person. "We're testing their
controls so we can tell regulators we're comfortable with what they
are doing," Suther says.
Amex has designated vendor-relations managers who are responsible for
ensuring that data controls are in place for a specific list of firms
that Amex has hired to perform financial services jobs, he says.
The problem is complicated by whether the tools needed to protect data
are available and affordable, says John Pironti, a principal for
enterprise and security architecture for Unisys, and what combination
of protections is considered sufficient by regulators. "What is good
enough that everyone can agree on," Pironti says.
It is difficult to take the requirements of, say, Sarbanes-Oxley, and
translate that into security policies, Suther says. "We're all
suffering the same kind of lack of confidence in what we should be
doing," he says.
Suther says he struggles to balance imposing security on his financial
services vendors and allowing them to do their jobs so Amex's
financial services business keeps running. "I have to be flexible
right now if I want a universe of vendors for my business departments
to choose from," Suther says.
In practice, businesses are not imposing all the security they might
or only doing so for the most important data, says Alex Van Deusen, a
senior security consultant for Cisco. "They're just not rolling it out
to every level of their enterprise," he says of businesses he has
Regardless of the technology in place to protect data, people still
represent the biggest threat, says Alex Ryskin, IT director for the
laser laboratories at the University of Rochester in New York. End
users must face penalties if they fail to follow security policies so
they recognize their importance and follow them, he says. "You would
be shot - literally - in Soviet Russia," where he lived for 40 years,
he says. "It did work."
And U.S. corporations are starting to get tough themselves, says Van
Deusen. "You need severe penalties, clearly defined: you are going to
get fired," he says.
Suther says that less drastic means can help enormously, particularly
educating users on the risks and consequences for the business if
security is breached. "It's one of the few areas where we feel we can
do the most," he says.
He recommends that businesses set up goals for data security and
review how well they have worked every six months, with the goal of
gaining better and better compliance over time. It is particularly
important for business executives to be on board. They recognize the
need for better security, and want to avoid devastating bad publicity
if private data is compromised. But they also want no negative
effects on their business processes.
"We want to be able to say, 'Things have gotten better and you have
not ended up on the front page of the Wall Street Journal,." he says.
All contents copyright 1995-2005 Network World, Inc.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.