CIOs overconfident about protecting intellectual property

By Shamus McGillicuddy, News Writer 10 Jul 2007 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

In a survey conducted by Enterprise Strategy Group (ESG) in Milford, Mass., most of the 102 IT decision-makers polled gave high grades to their ability to protect intellectual property that is created, delivered or stored electronically, such as design specifications, source code, patent documents and financial information.

More on data security Data breach costs weigh on TJX 1Q profit CIOs take heat for security snafus

Further, 85% said they did at least a good job of identifying intellectual property, 82% said they did a good or excellent job of locating where intellectual property resides across their IT infrastructure, and 80% said they were good or excellent at classifying intellectual property. Finally, 74% said they were doing a good or excellent job of securing all information classified as intellectual property.

The survey was sponsored by Reconnex Inc., a Mountain View, Calif.-based vendor of data loss protection appliances.

Their confidence may be reassuring to their bosses, but Jon Oltsik, a senior analyst at ESG, said the answers these decision-makers gave to other questions revealed that the respondents are a little overconfident.

Indeed, 44% of respondents said they would spend significantly more money on protecting intellectual property this year. Another 30% said their budgets would increase slightly. Only 20% reported no change in spending.

"They think they're doing a good job, but on the other hand they're prepared to dedicate more money to it," Oltsik said. "So if they're doing a good job, why are they spending more money?"

Part of the growth in spending on protection of intellectual property could be attributed to high-profile data breaches such as those at the U.S. Department of Veterans Affairs and retailer The TJX Cos.

"What we're finding is these breaches are scaring people into action," Oltsik said. "Doing an OK job may mean we think we're OK, but we're willing to live with a certain amount of risk. The fact that they're spending a lot of money tells me they're no longer willing to live with a certain amount of risk."

Manual monitoring bad news

The high number of respondents who said they're monitoring their intellectual property manually raised another red flag with Oltsik. Only 56% of organizations automatically scan repositories and file servers and classify intellectual property based on keywords, content, department, author or other search terms. Oltsik said relying on manual process to identify and secure intellectual property isn't enough.

"I think they're probably doing as well as they can under the circumstances," Oltsik said. "They reach a saturation point. Then they have to make changes. Hire more people. It's not just the amount of data. It's where the data is going and where it's being stored. It's not just laptops. It's mobile devices. Mobile storage devices and media. And it's not just employees anymore. It's business partners, customers and suppliers."

Oltsik said manual processes alone can't track all the instances of intellectual property that live in a company's infrastructure. Automated tools for tracking this information are needed.

Also, Oltsik said some organizations are making a big mistake by taking a decentralized approach to identifying and classifying intellectual property. Twenty percent of respondents said individual application owners, departments or individuals do the work of classifying information as intellectual property with no oversight from the legal or information security departments. Another 8% relied on individuals and departments as well, but legal and information security departments did provide oversight.

"The risk is that your policies and processes and enforcement will be different on a business unit by business unit basis," Oltsik said. "One department will say this really isn't intellectual property to me, whereas another business unit says it is. That's a problem, especially with a large, global company. Different classifications, monitoring and enforcement -- that creates vulnerability and things may be leaking out that shouldn't."

Randy Barr, chief security officer at WebEx Communications Inc., a Santa Clara, Calif.-based vendor of on-demand collaborative applications, deployed a Reconnex data protection appliance in his company two years ago. He bought the technology because executives suspected the company's sales leads were being leaked.

"We completed a risk analysis on our lead generation," Barr said. "We were concerned that somehow our lead-generation information was getting over to our competitors. We were getting ready to close and would find that our competitors would come in and bid below what we had bid."

Barr said Reconnex's technology found that WebEx's suspicions were unfounded. Sales leads weren't leaking, but there were other problems uncovered. Barr declined to be too specific.

"We weren't prepared for what we were going to see," Barr said. "We did a 24-hour assessment. When we looked at the report there was a lot of information. We started noticing everyone's chats and webmail. It was so easy to see. It was pretty scary. We did identify some malicious users who were doing things internally they weren't supposed to."

Barr said Reconnex has helped his company secure intellectual property on the network level, but he said he'd like to see something that can deploy at the desktop level as well. He said it's difficult to track what users do with sensitive information on a desktop level, particularly whether they're transferring data to external storage media like CD-ROMs and USB drives.

"To fill that gap, we really restrict users from what information they have access to," Barr said. "When you restrict users, they come back and say they aren't as productive as they could be. They want to be able to work from home with laptops. There are certain cases where I have to authorize that."

Oltsik said, "We're in an evolutionary state. The tools will always get better. Today's tools are better than they were two years ago. Everything could improve and will improve, but you can certainly find tools right now to help you if you look."

Tags: Strategy: Take stock of your risks,  Execution: Dodge risks in practice,  Enterprise data security and privacy,  Enterprise information security management,  IT asset management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Strategy: Take stock of your risks Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Sustainability risk management: Beyond green IT Outsourcing deals no good if contract is weak Career advice for CIOs: Four qualities of a leader and more 'Millennials' buck IT security policies Vetted IT negotiations reduce risk of project failure Business process management: Avoiding the pitfalls IT risk moves higher on security radar, report finds IT security trends move toward information risk management Execution: Dodge risks in practice IT risk management in the enterprise Unearthing the potential paybacks of enterprise risk management Project management needs to think smaller, faster Disaster planning: Bank builds data center for the long haul PCI compliance a good start, but not enough Malware real threat to holiday shopping on company time Electronic medical records at risk of being hacked, report warns Fewer security breaches blamed on human error PCI compliance deadlines have retailers scrambling Managing mobile computing policies Enterprise data security and privacy GPS devices, geolocation data create privacy, security risks Health care security, HIPAA compliance on deck for CIOs in Obama era Network access control: Security advice for enterprise CIOs Data protection in the cloud: What's good enough? Healthcare IT standards still not clear Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Data protection quiz for enterprise CIOs Seven tips to improving enterprise data protection Employee layoffs pose security risk if systems access not disabled

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary