What IT can and
cannot do"> Do you feel that youre getting the support from IT vendors to achieve the level of performance you need to manage these complex processes and products? Gunnerson: Partially. I dont think weve seen any magic bullets helping us to manage things without a lot of effort. ... One of the reasons is that the environment is changing so quickly. Were moving from security threats that take a month to security threats that take a day. That certainly keeps you up at night.As for Sarbanes-Oxley and the other laws that we have to supportwe have to make sure that our systems reveal what needs to be revealed to be in compliance, and thats work also. Do any of you find that you have to spend more time talking to corporate counsel or human resources or other administrative departments within the organization than was the case four or five years ago, to find out what theyre going to need from you in terms of the visibility of data that Gary has just talked about? Rosen: Im actually finding the oppositetheyre coming to us so that we can translate what [the legislative and regulatory mandates] are going to require. Gunnerson: I think its healthy, actually, because now were all talking about the same systems and applications. Before, it used to be, "You do your job, and well do ours," and we didnt interact on a regular basis. Its forced us to have some conversations that werent required before. Do you feel that non-IT people tend to be more cognizant than before about what IT can and cannot do? Gunnerson: Theres a pretty good understanding from pretty much everybody, mainly because theyve grown up with computing in their homes and theyve suffered the slings and arrows of viruses and software upgrades and all kinds of nasty stuff. I think the basic understanding of what computers are about and their inherent problems are obvious to almost everyone. Benincasa: We communicate a lot with our users whenever we have to, for example, take some action to increase security. We tell them what were doing and why were doing it, and, in a lot of cases, the users are pretty understanding. They dont like some of the inconveniences, but they know the risks to the network and the data if we dont protect them. Frank, I know at Bose you have pretty definite control of system configuration and so on. Have you found that user acceptance of a managed configuration for personal computing has increased as end users have started to see the costs of not having that coordination and control? Calabrese: Well, weve been doing our darndest to bring that in as a mandatethat unless there is a very justifiable reason not to stay within that single-image, patch-managed, asset-managed environment, you do have to stay there. People understand the ramifications and understand the impact to the business. So what it comes down to is, Does your desire to have your own configured system outweigh our ability to run our enterprise systems? We feel the enterprise systems are more important. Next page: The vulnerabilities in home processes.
There are tools becoming available that will help us deal with thisstand-alone appliances that you can buy that help you do intrusion detection and intrusion prevention. Theyre expensive, and they look a lot like network gear, which kind of involves everybody. These arent products you just put into your infrastructureyou really have to understand how they affect how your packets are sent both inside and outside the company.