Feeling Insecure - Page 2

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Strengthened Resolve

While security coordination is a muddy issue, one thing is clear: There is a new resolve in corporate hierarchies to make security a priority - a resolve that corporate security experts say did not exist just six weeks ago.

In dozens of interviews conducted by Interactive Week, I-managers, information security experts, security consultants and corporate executives echoed a recurrent theme as companies scrambled to cope with the idea that the nation is at war with an enemy that is often invisible - and with the fact that they could become targets.

Corporate officials said they are re-evaluating and reassessing all levels of security. Oft-mentioned issues included Internet vulnerabilities to worms and viruses; ways to bypass secure entrances; and learning more about the habits of employees.

Bob Forbes, executive vice president and founder of Authentor Systems in Colorado, said he foresees new security systems that will not only watch the front and back doors, but track employees personal habits - from the time they clock in, to the time they log on - and notice when norms are not followed.

"Hard outer shells are suddenly getting a lot of attention, just as the demand for access is increasing," he said. "You typically cant increase access and security simultaneously. So you turn to behavior-based models as opposed to, say, firewalls that have static rules, that dont look at the type of information a user is requesting."

The economic reality of increasing security is finding expression in prioritization - and in the recognition that more sophisticated technology is not the only answer. Confirming that security policies are in place and are adhered to and planning reactions to worst-case scenarios are becoming part of a new corporate mindset, insiders said.

In many cases, corporations are scrambling to find funds in an almost stagnant economy to pay for technological tripwires, more security personnel and higher walls around information systems.

"The tragic events of Sept. 11 have been a cold, hard slap in the face to senior corporate managers who once paid lip service to security, but failed to allow long-term or short-term budget planning," said Marquis Grove, a director of Information Systems Security of Ottawa.

Within many companies and among security advisers there is also movement toward integrating physical and information security systems, to present a "hardened target" to terrorists, criminals and even disgruntled employees who try to disrupt business.

"Information technologists and corporate security managers have long enjoyed a love-hate relationship," said Grove, who doubles as information security director for an international Fortune 50 company.

"Unfortunately, there has been a long history of self-interest and self-promotion between the two groups that left them usually opposing measures being put forward by the other group," he said. "This reflected the fortress mentality of the past, where managers were more interested in protecting the size and function of their department than in what was best for the company."

Now, however, threat and risk assessments are in high demand at corporations of all shapes and sizes, from giants like Boeing to small firms - for which the faulty security of networks they hire to deliver their services could mean financial ruin.

Agencies of the federal government are also turning to private security interests to run risk assessments on networks, Web sites and other points of access to confidential information that could be valuable to international enemies.

Some corporations, like the Kansas Yellow Freight national trucking company, said they have not made dramatic changes in security, but have thoroughly reviewed their procedures and sent blanket reminders to all employees to be alert for security breaches.

For others, it is clearly a brave new world of information and physical security, transformed in ways that were almost inconceivable before the terrorist events just six weeks ago.

Juliano said DoveBid has added redundancy to its operations to allow the company to run entirely from any of its three major U.S. facilities. Its also started reviewing security systems on "a daily, rather than weekly, basis," and is even checking names of suspected terrorists released by the FBI against its employees and system users.