Network securitys organizational profile has risen steadily in the past two years, and security concerns are now much more likely to be represented at a senior-management level. As a result, security is as much about technical defense mechanisms as it is about organizational risk management, policy creation, and effective organizational education and training.
"Were seeing shifts away from technology people to risk management individuals," said Jerry Brady, chief technology officer at managed security services company Guardent Inc., in Atlanta.
"For three to four years, people have been purchasing security products to solve their problems," said Brady. "For the most part, people have been implementing stopgap products to solve their security problems. Weve seen a renewed focus on regulatory needs or standard ways to address their problems. Security assessment is looking at what your risks are and then mapping out action plans to bring out better or more managed security procedures."
Also changing the landscape is the fact that the law has been inserting its long arm into corporate security policies as never before, making regulatory concerns a top priority for security staff. In the financial services and health care sectors, the Graham-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, respectively, have mandated sweeping changes in how protected information is transmitted, accessed and secured.
Impending legislative requirements will do yet more to make network security concerns matters of interest to corporate boards and CEOs.
SB 1386, an amendment to the California Civil Code, was passed in September and goes into effect July 1. This sweeping measure will have nationwide impact because it applies to all organizations—public and private—that either conduct business in California or that own or license data that contains personal information about any California resident.
SB 1386 requires organizations to disclose to customers the compromise or even suspected compromise of information. This will allow customers to take steps to prevent possible identity theft. Disclosure is the right thing in any case, but the bill (and the threat of lawsuits against noncompliers) will propel security changes from the top down.
Encryption is one technology that will get a boost from SB 1386, since the law pertains only to unencrypted information. Many databases make field-level encryption easy to perform, with Oracle Corp.s Oracle database and IBMs DB2 standing out in this area. Using data encryption was always a good idea, but now its the smart thing to do legally as well.
Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.