CIOs overconfident about protecting intellectual property
By Shamus McGillicuddy, News Writer
10 Jul 2007 | SearchCIO.com
IT organizations say they're doing a good job of protecting digital intellectual property. But research suggests many of them might need a reality check.
In a survey conducted by Enterprise Strategy Group (ESG) in Milford, Mass., most of the 102 IT decision-makers polled gave high grades to their ability to protect intellectual property that is created, delivered or stored electronically, such as design specifications, source code, patent documents and financial information.
Further, 85% said they did at least a good job of identifying intellectual property, 82% said they did a good or excellent job of locating where intellectual property resides across their IT infrastructure, and 80% said they were good or excellent at classifying intellectual property. Finally, 74% said they were doing a good or excellent job of securing all information classified as intellectual property.
The survey was sponsored by Reconnex Inc., a Mountain View, Calif.-based vendor of data loss protection appliances.
Their confidence may be reassuring to their bosses, but Jon Oltsik, a senior analyst at ESG, said the answers these decision-makers gave to other questions revealed that the respondents are a little overconfident.
Indeed, 44% of respondents said they would spend significantly more money on protecting intellectual property this year. Another 30% said their budgets would increase slightly. Only 20% reported no change in spending.
"They think they're doing a good job, but on the other hand they're prepared to dedicate more money to it," Oltsik said. "So if they're doing a good job, why are they spending more money?"
Part of the growth in spending on protection of intellectual property could be attributed to high-profile data breaches such as those at the U.S. Department of Veterans Affairs and retailer The TJX Cos.
"What we're finding is these breaches are scaring people into action," Oltsik said. "Doing an OK job may mean we think we're OK, but we're willing to live with a certain amount of risk. The fact that they're spending a lot of money tells me they're no longer willing to live with a certain amount of risk."
Manual monitoring bad news
The high number of respondents who said they're monitoring their intellectual property manually raised another red flag with Oltsik. Only 56% of organizations automatically scan repositories and file servers and classify intellectual property based on keywords, content, department, author or other search terms. Oltsik said relying on manual process to identify and secure intellectual property isn't enough.
"I think they're probably doing as well as they can under the circumstances," Oltsik said. "They reach a saturation point. Then they have to make changes. Hire more people. It's not just the amount of data. It's where the data is going and where it's being stored. It's not just laptops. It's mobile devices. Mobile storage devices and media. And it's not just employees anymore. It's business partners, customers and suppliers."
Oltsik said manual processes alone can't track all the instances of intellectual property that live in a company's infrastructure. Automated tools for tracking this information are needed.
Also, Oltsik said some organizations are making a big mistake by taking a decentralized approach to identifying and classifying intellectual property. Twenty percent of respondents said individual application owners, departments or individuals do the work of classifying information as intellectual property with no oversight from the legal or information security departments. Another 8% relied on individuals and departments as well, but legal and information security departments did provide oversight.
"The risk is that your policies and processes and enforcement will be different on a business unit by business unit basis," Oltsik said. "One department will say this really isn't intellectual property to me, whereas another business unit says it is. That's a problem, especially with a large, global company. Different classifications, monitoring and enforcement -- that creates vulnerability and things may be leaking out that shouldn't."
Randy Barr, chief security officer at WebEx Communications Inc., a Santa Clara, Calif.-based vendor of on-demand collaborative applications, deployed a Reconnex data protection appliance in his company two years ago. He bought the technology because executives suspected the company's sales leads were being leaked.
"We completed a risk analysis on our lead generation," Barr said. "We were concerned that somehow our lead-generation information was getting over to our competitors. We were getting ready to close and would find that our competitors would come in and bid below what we had bid."
Barr said Reconnex's technology found that WebEx's suspicions were unfounded. Sales leads weren't leaking, but there were other problems uncovered. Barr declined to be too specific.
"We weren't prepared for what we were going to see," Barr said. "We did a 24-hour assessment. When we looked at the report there was a lot of information. We started noticing everyone's chats and webmail. It was so easy to see. It was pretty scary. We did identify some malicious users who were doing things internally they weren't supposed to."
Barr said Reconnex has helped his company secure intellectual property on the network level, but he said he'd like to see something that can deploy at the desktop level as well. He said it's difficult to track what users do with sensitive information on a desktop level, particularly whether they're transferring data to external storage media like CD-ROMs and USB drives.
"To fill that gap, we really restrict users from what information they have access to," Barr said. "When you restrict users, they come back and say they aren't as productive as they could be. They want to be able to work from home with laptops. There are certain cases where I have to authorize that."
Oltsik said, "We're in an evolutionary state. The tools will always get better. Today's tools are better than they were two years ago. Everything could improve and will improve, but you can certainly find tools right now to help you if you look."
Let us know what you think about the story; email firstname.lastname@example.org.