No. 6: Plug data leaks

Data spills are almost inevitable, but you can minimize risk and mitigate damage by keeping an eye on orphaned accounts, lax oversight of permissions, and mobile data access.

A survey of more than 850 executives by security firm Symark revealed that 42 per cent of all businesses have no idea how many orphaned accounts exist on their networks, and nearly one-third have no procedure for removing them. Worse, many organizations are lax about policing who's allowed to access what data on the network.

"It's not uncommon for folders on file shares to have access control permissions allowing everyone to access the data inside it," says Johnnie Konstantas, vice president of marketing at Varonis Systems, a data governance solutions provider. "Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it."

Konstantas says IT departments need to maintain a current list of everyone who "owns" each data store and review or revoke permissions on a regular basis.

Lax permissions policies, coupled with the growing threat from rogue mobile devices, raise the possibility of accidental data spills and deliberate data breaches, notes Ben Halpert, an information security researcher and consultant.

"The current security model is inadequate for dealing with today's threats," he says. "When it comes to mobile security, every organization needs to recognize certain realities. The first is that you can't stop mobile device proliferation. The second is that user awareness alone is ineffective. And third, point solutions like encryption will only shift the target."

A December 2007 survey conducted by the Ponemon Institute found that nearly 40 per cent of employees have reported losing a mobile device containing company data, and that more than half copied sensitive data to USB drives despite company policies forbidding the practice.

Halpert says enterprises need to implement an overarching strategy for mobile security, taking into account technology, user populations, and processes.

"While the majority of your workforce does not have malicious intent, those involved in social engineering are masters of the human condition and will attain the information they desire," Halpert warns.

No. 7: Follow the money

If IT wants to overcome its reputation as a corporate money suck, tech managers need to learn a few things about the bottom line -- including how to translate long-term goals into quarterly results for the CFO.

"Having financial knowledge is important, especially when you've got a $50 million IT budget that can easily spiral out of control," says Interphase Systems' Biglin. "The CIO can't approve every invoice. We find IT directors managing multimillion-dollar projects who don't know what costs to capitalize and which ones to expense. If you don't understand the difference, it's easy to wind up a year down the road where something has to be reclassified. It can really impact companies who report their numbers to Wall Street."

Basic concepts -- such as the difference between cash flow and profits -- need to extend throughout the IT organization, says Joe Knight, co-author of "Financial Intelligence for IT Professionals: What You really Need To Know about The Numbers."

"I think everybody in the IT department needs to understand how projects are made, why they're important, and the future benefits they will bring to the company," says Knight. "If you can speak the language of finance and present your IT case in financially astute way, you'll not only make better decisions but you'll also be able to drive your decision through the organization."