Beyond the firewall

Network security more complex than ever

This year, with all of its data breaches, has certainly proved that network security is much more complex than at past times, when firewalls were viewed as premium defense collateral. What are some methods/policies I should be aware of as I look to spend time (and security budget) in 2008?

The CSO's job has gotten more difficult recently as the focus of risk management has shifted from simply protecting their organization's network and server infrastructure to ensuring the Intellectual Property (IP) that is housed within and communicated across that infrastructure is not getting into the wrong hands.

A company's IP may be more valuable than its physical infrastructure. This is obviously the case in industries such as high technology, pharmaceutical, and biotechnology where the essence of competitive advantage and profits is intellectual property. But even in a number of 'lower tech' industries such as entertainment, retail, and financial services, proprietary content and know-how are keys to success and must be closely guarded.

Two fundamental requirements for the CSO charged with protecting this IP are 1) Knowing what his organization's IP is, and 2) Who should be allowed to receive it. Meeting these requirements pose significant challenges.

According to a recent Enterprise Strategy Group (ESG) report, Extending Intellectual Property Protection Beyond the Firewall (sponsored by Reconnex), about half of the 109 companies surveyed did not have standard policies for identifying and classifying IP. Furthermore, IP classification is a bit of an organizational "hot potato" with responsibility for that classification spread across legal, line-of-business management, IT, and executive management in most organizations. This study also confirmed that more large organizations are sharing their IP with an increasing number of business partners (both domestic and international) in conjunction with outsourcing and offshoring relationships. In fact, about two-thirds of the organizations surveyed reported sharing moderate-to-substantial amounts of IP with their business partners today. Yet, less than half of those surveyed have a formal process for determining which IP can be shared with business partners.

So, what's a CSO to do?

First, you have to learn what IP needs protection and prioritize it based on business impact. This requires meeting with functional managers who are tasked with the creation and use of IP to create an inventory of the type of IP within the organization. There will always be a tradeoff between business imperatives and security, so it is important to distinguish the 'must protect' from the 'nice-to-protect' and focus first on the 'must protect' IP. Automated IP discovery tools can be helpful in assisting in the identification of potential IP that needs protection.

Second, you have to learn which business partners are permitted access to what IP. Again, this requires cross-functional dialogs with business unit personnel who are tasked with working with outsourcing/offshoring partners to determine what information is critical to those partners and what information needs to be restricted from dissemination. In most cases, business managers will not be aware of the full extent that information is being sent to the organization's network of business partners. In this case, it may be helpful for the CSO to provide business managers with reports showing the types of information flowing to external partners so those managers can decide what is appropriate and what is not. Data loss monitoring and reporting tools can be helpful in producing these kinds of reports.

CSOs have a clear understanding of how to protect their organization's computing infrastructure. Their new challenge is to protect the critical business information living within that infrastructure from inappropriate disclosure. This requires the CSO to learn what that critical information is and who is allowed to receive it and then to put in place appropriate technology and processes to educate users and to detect and prevent the leakage of that information.

John Peters is CEO, Reconnex.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Peters

Network World
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?