Managing Risk

Network security stakes, complexities are rising.

Network securitys organizational profile has risen steadily in the past two years, and security concerns are now much more likely to be represented at a senior-management level. As a result, security is as much about technical defense mechanisms as it is about organizational risk management, policy creation, and effective organizational education and training.

"Were seeing shifts away from technology people to risk management individuals," said Jerry Brady, chief technology officer at managed security services company Guardent Inc., in Atlanta.

"For three to four years, people have been purchasing security products to solve their problems," said Brady. "For the most part, people have been implementing stopgap products to solve their security problems. Weve seen a renewed focus on regulatory needs or standard ways to address their problems. Security assessment is looking at what your risks are and then mapping out action plans to bring out better or more managed security procedures."

Also changing the landscape is the fact that the law has been inserting its long arm into corporate security policies as never before, making regulatory concerns a top priority for security staff. In the financial services and health care sectors, the Graham-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, respectively, have mandated sweeping changes in how protected information is transmitted, accessed and secured.

Impending legislative requirements will do yet more to make network security concerns matters of interest to corporate boards and CEOs.

SB 1386, an amendment to the California Civil Code, was passed in September and goes into effect July 1. This sweeping measure will have nationwide impact because it applies to all organizations—public and private—that either conduct business in California or that own or license data that contains personal information about any California resident.

SB 1386 requires organizations to disclose to customers the compromise or even suspected compromise of information. This will allow customers to take steps to prevent possible identity theft. Disclosure is the right thing in any case, but the bill (and the threat of lawsuits against noncompliers) will propel security changes from the top down.

Encryption is one technology that will get a boost from SB 1386, since the law pertains only to unencrypted information. Many databases make field-level encryption easy to perform, with Oracle Corp.s Oracle database and IBMs DB2 standing out in this area. Using data encryption was always a good idea, but now its the smart thing to do legally as well.