Despite a reduction in its overall security budget, WSECU will continue to pursue a “defense in depth” strategy that provides a level of data and systems protection appropriate for each particular IT asset. The credit union is specifically looking at its E-mail management strategy in trying to bolster security and stem E-mail-based data leakage; networks, portable storage devices, and cell phones are also of particular concern.
But Hildesheim says the most significant improvement in security has been the institutionalization of an enterprise risk management committee composed of leadership from every line of business. “This is not a significant cost, except in time,” he says, “yet it goes further in providing increased security awareness, and therefore improved security overall, than any tool we have implemented.”
TouchTunes Music Corp., an interactive entertainment network that serves more than 30,000 restaurants, retailers, and other businesses in North America, is concerned about its ability to provide robust security in the current economic climate. “Securing all IT assets across the enterprise is a daunting task — too big, given the constrained budgets in this bad economy,” says former CFO Philip Livingston (he left the company in January). The company has cut spending across all functions, including IT security. “The economy is bad, and we all have to share the burden,” Livingston says.
Nevertheless, the company is deploying security tools that monitor systems and application usage and data access on a continuing basis, and provide detailed reports showing who accesses what information and what they do with it. “Further automation around systems that tighten loss control and improve systems efficiency is a priority,” he says.
Despite the tighter budgets, data privacy and protection will be a major priority for TouchTunes in 2009. “No organization wants to be in the headlines for [a] data breach; it’s a company’s worst nightmare,” Livingston says. “Data breaches continue to be a major concern in 2009, especially with the push toward virtualization and our networks being exposed to a wider variety of malware and hacking mechanisms than ever before.”
A Role for GRC?
Although the arsenal of IT-security products is vast, some firms are finding value in tapping a category of software not usually associated with protecting data. Governance, risk, and compliance (GRC) software was first developed to help organizations track a host of regulatory requirements, such as the internal-controls provisions mandated by Sarbanes-Oxley. It has since expanded to many other areas (see “A Defining Moment,” January), and now some firms see a role for it in IT.
GRC packages “seem to represent a natural progression for security professionals in order to benefit from a more integrated approach to risk management and compliance, versus a piecemeal approach that many have been taking until recently,” says Livingston, who used GRC software at previous companies. “IT GRC technologies [offer] a unified platform to automate user access, process-level, and general computing controls.”
Ken Schultz, CFO at CashNet-USA, a provider of online financial services, says that because his company offers financial services over the Internet, IT security “remains at the forefront of our thought process, so we can proactively protect our platform and customers.” He declined to provide specifics about how CashNetUSA is securing its information assets, but says that “fortunately, our business continues to grow despite the current economic conditions, and as such our security budget has again increased in 2009.”
That doesn’t mean the company isn’t looking for more-economical ways to provide security. One area of interest is open-source software, a category that few might associate with security but which is in fact providing a fertile ground for new products. For example, CashNetUSA recently deployed open-source Web-application firewalls and network-vulnerability scanners.
“We find that by staying in touch with the buzz and awareness in the open-source community, we don’t have to be beholden to a certain vendor to acquire and implement the technology needed to be on the cutting edge of data security,” Schultz says.
Bob Violino is a freelance writer based in Massapequa Park, New York.