Making progress

Despite all the hurdles, enterprise customers are moving forward and discovering tools and processes that will help them improve data security. Gus Tepper, vice president of software development at US-based real estate financial services provider First American, says that incremental progress is important, even if it does not solve every data security headache overnight.

One of the first steps, says Tepper, is to get a better grip on which workers can access which repositories of sensitive information and to automate the process of granting and removing entitlements using more intelligent tools. This has proven vital in a company with close to 40,000 employees, many of whom tend to shift responsibilities on a regular basis.

"We think that we've done a good job of making sure that data is secure from this perspective of access. Where most failures occur is around human process," Tepper says. "To the extent that you can automate and minimize threats via controlling access, this is some of the most important work I think any company can do."

First American installed encryption technology on all of its laptops to prevent someone from gaining data access if the machines are lost or stolen. It is also employing similar tools to obscure data stored on tape drives in offsite locations, and the company has bought in entitlement management software made by Securent to help its data governance efforts.

"When you're in a large company like ours with hundreds of applications and people moving between divisions, there is a lot of cleaning up that has to happen, as it's easy to lose track of access privileges without a tool that gives you centralized management," Tepper says. "As far as the outside world having access, we really want to make sure that doesn't happen, and we have a lot of security technologies in place to address that. But by getting a better handle on internal access and all the processes needed to allow for that, we think our standing has improved significantly."

The company also hired its first chief information security officer in 2006 to give data protection a more prominent role in the overall management of its operations, he says.

Many large companies wish that they could start from scratch as they re-architect their data protection strategies, but even those who can afford to concede that the nature of protecting the information they gather is daunting.

Marty Hodgett, chief information officer at US-based retail chain Orchard Supply Hardware (OSH), has been tasked with introducing IT into the company, which is hoping to grow into a national presence in the next few years

As the hardware chain brings workstations and new data harvesting systems into its operations — which Hodgett classifies as lagging in the use of most modern IT equipment — it will be an ongoing balancing act to empower the company with more data about its customers, employees, and suppliers while keeping a lid on sensitive information, he says.

US Retail giant Sears currently owns roughly 80 percent of OSH, but the hardware chain is also working toward a spin-off from its parent company. "We've been relying on Sears for a lot of things, so now we're putting in our own financials, payment, and human resources systems, among others, on this journey to become independent and expand across the country," Hodgett says. "Today this process is all about risk mitigation. We know we're never going to get to zero, and you can go crazy if you try to consider everything at once, but a key part of building this IT foundation is considering data security at every turn."

One of the tools Hodgett has already employed is data leakage prevention software made by Provilla, to help safeguard sensitive employee and customer data against potential breaches, both intentional and accidental.

"As we are moving up the technology curve and adding capabilities, we're trying to augment everything we do with additional mitigation techniques for risk," Hodgett says. "We're low-tech today, so the risk is low, but as we push the envelope and do things like introduce consumer credit cards, there will lots of demand to secure everything we have, as well as compliance demands."

Expert advice

With everyone from hardware makers to services providers trying to inset their wares into the enterprise security buying cycle, there is no shortage of strategic advice. For starters, Nick Mehta, US senior director of product management at Symantec, suggests blending anti-malware applications with data discovery systems.

Mehta leads a team responsible for developing and marketing Symantec's Enterprise Vault technologies, a package of data archiving and security tools. "There will always be ways to circumvent protections, and companies will always have incidents, but you can get rid of a lot of the accidental issues such as missing encryption and broken business processes by employing technologies that identify and block those types of incidents," Mehta says.

On the hardware side, Intel has begun loading its products with additional security features, including the company's recently announced Active Management Technology, which is designed to help IT administrators remotely fix devices that have crashed due to malware or other attacks.

"From an IT operational level, I do think things are getting better, but there will always be a need for continued evolution in the nature that information is stored and protected," says Malcolm Harkins, US IT security director at Intel. "Protection starts with the classification of data and its criticality to a business. Once you do that you can specify controls based on tolerance for risk."

Executives at Imperva, a US-based provider of security and compliance technologies used in corporate data centres, say that past security investments make it tough to convince business leaders that new tools will actually solve the information protection problem.

"For the last 10 or 15 years, customers have been throwing technologies at these problems, and senior leadership often feels that these solutions haven't proven adequate, so every purchase needs to be defended over and over again," says Robin Matlock, general manager at Imperva. "IT departments need to show leaders where the problems exist and what new options are open to them to address the problems they have. And security vendors really do need to help customers continue to make their business case."