The solution of most enterprises to meeting complex data security challenges is to deploy software that combats their risks. But that software isn't always used to the extent of its abilities, according to a panel discussion at the Interop conference this week in New York.
"I have several million dollars in software were not using right now," said Jay Leek, chief information security officer for Blackstone. "I have a lot of bells and whistles that I've turned off as well."
Dave Asprey, VP of cloud security for TrendMicro, said this isn't unique in the industry: "A large enterprise buys the suite but it sits on a shelf. It is a partnership. The software works, you have to put it out there." But, he added, "At the end of the day the data is self-protecting if it's encrypted. But none of that works if you aren't blocking and tackling."
Bruce Sussman, director of information security and compliance for Wyndham Worldwide, took a middle position. While it's not crucial to throw a huge software budget at vulnerabilities, he says that culture is the biggest indicator of security best practices.
"I don't think bad things happen because we don't buy the latest widget -- I've seen lots of bad things happen and it's never been because the enterprise has a flawed procurement strategy," he says. "But it's more important to train folks properly. The folks who sign the checks must understand the technology, and how to turn it on or train the staff to use it."
There are many vulnerabilities in any given enterprise, added Adrian Sanabria, senior security analyst for 451 Research. Companies are wise to focus on only the ones that pose imminent threats, he advises. In addition, companies should share with each other their experiences with given software so their peers have an idea of what to expect.
"Security isn't transparent enough -- I think it would be great for the industry to find a way to figure out the effort of integrating a product," he says. "What's the effort level to integrate it into your enterprise? Do you need two full-time people to manage this product? What about enabling some of the more advanced features -- do other things break? Maybe it's the enterprises fault."
Sanabria recognizes this isn't an easy proposition -- "If you get hacked, you don't want everyone to know about it." And, he concurs, the best way to combat cyber threats is to establish good processes, not pile on software.
"Security is something you do, not something you buy," he says. "While you do need the tools to do the job, go through some scenarios. Really, from an attackers point of view the easiest way to get in is to send someone an email. It's a chess game."