As critical as it can be to understand who can access data, a related matter that is now getting more attention concerns the actual data itself: Has it been changed or moved, and if so, when, to what degree — and, of course, by whom? Known as “database auditing and real-time protection products,” this class of software (from vendors including Guardium, Imperva, Tizor, Symantec, IBM, Oracle, and others) is booming: Forrester Research predicts that it will grow from a $450 million market in 2007 to $900 million by 2010.
The primary reason is that many companies are now protecting not just a handful of databases that contain particularly sensitive information but all their databases, as compliance and regulatory requirements mount and security breaches become more common.
This software can, as Prat Moghe, founder and chief technology officer of Tizor, puts it, “tell you what’s happening to the data: Is it encrypted? Who’s looking at it? Who’s modifying it or suddenly copying a lot of it?”
The software also addresses a key related question: Should the data even exist? “Do you need Social Security numbers or credit-card numbers, for example?” Moghe says. Companies are often — indeed, almost always — more adept at capturing information than managing it once they’ve got it, and that extends to purging what they don’t need and are perhaps at risk for holding.
There are substantial technical differences between vendors, not to mention huge price differences between the data auditing utilities that a database company such as Oracle or IBM might include with its principal offerings (essentially free in some cases) and the more sophisticated products offered by specialty firms.
Parsing those differences can soon lead to the sorts of technology-intensive discussions that send C-level executives screaming from the room. Perhaps they should tough it out. “From a CFO perspective,” says Jose Segrera, CFO of Terremark Worldwide Inc., a provider of IT infrastructure services, “there is so much attention on risk management coming from the audit committee that IT and data security have to be on your risk-management checklist.” He points to the ISO 27000 family of security standards as one place that C-level executives might look for guidance. Wolf of Proskauer Rose suggests that companies look to current practices in the financial-services and health-care industries, where additional regulatory requirements have made them “the gold standard regarding what constitutes ‘reasonable’ protection of data.”
“Slowly,” says Moghe, “leading-edge companies are beginning to have the kind of systematic dialogue between IT, risk, compliance, and other departments that is essential to comprehensive security.” Ponemon says that the burden, for better or worse, tends to fall on lower-level staff, who must develop a solid value proposition for security measures in order to win funding, and attention.
There is, however, a way to jumpstart that process. “Experience a disastrous breach,” Ponemon says.
Scott Leibs is a deputy editor of CFO.