Security

02:30 PM
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Is Data Security Software Good Enough?

A panel of experts identified several issues in enterprises' use of data security software.

The solution of most enterprises to meeting complex data security challenges is to deploy software that combats their risks. But that software isn't always used to the extent of its abilities, according to a panel discussion at the Interop conference this week in New York.

"I have several million dollars in software were not using right now," said Jay Leek, chief information security officer for Blackstone. "I have a lot of bells and whistles that I've turned off as well."

Dave Asprey, VP of cloud security for TrendMicro, said this isn't unique in the industry: "A large enterprise buys the suite but it sits on a shelf. It is a partnership. The software works, you have to put it out there." But, he added, "At the end of the day the data is self-protecting if it's encrypted. But none of that works if you aren't blocking and tackling."

Bruce Sussman, director of information security and compliance for Wyndham Worldwide, took a middle position. While it's not crucial to throw a huge software budget at vulnerabilities, he says that culture is the biggest indicator of security best practices.

[N.Y. governor inquires on insurers' cyber security]

"I don't think bad things happen because we don't buy the latest widget -- I've seen lots of bad things happen and it's never been because the enterprise has a flawed procurement strategy," he says. "But it's more important to train folks properly. The folks who sign the checks must understand the technology, and how to turn it on or train the staff to use it."

There are many vulnerabilities in any given enterprise, added Adrian Sanabria, senior security analyst for 451 Research. Companies are wise to focus on only the ones that pose imminent threats, he advises. In addition, companies should share with each other their experiences with given software so their peers have an idea of what to expect.

"Security isn't transparent enough -- I think it would be great for the industry to find a way to figure out the effort of integrating a product," he says. "What's the effort level to integrate it into your enterprise? Do you need two full-time people to manage this product? What about enabling some of the more advanced features -- do other things break? Maybe it's the enterprises fault."

Sanabria recognizes this isn't an easy proposition -- "If you get hacked, you don't want everyone to know about it." And, he concurs, the best way to combat cyber threats is to establish good processes, not pile on software.

"Security is something you do, not something you buy," he says. "While you do need the tools to do the job, go through some scenarios. Really, from an attackers point of view the easiest way to get in is to send someone an email. It's a chess game."

Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
10/8/2013 | 10:07:33 AM
re: Is Data Security Software Good Enough?
I'm pretty sure that FS-ISAC is open to security providers (which I assume means vendors). I know many of the banking and insurance associations are involved. And FS-ISAC does have links to other ISAC groups that have been set up in other industry verticals (water, public transit).

But bringing in vendors and other technology experts makes sense. It certainly can't hurt.
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
10/7/2013 | 9:13:53 PM
re: Is Data Security Software Good Enough?
Well, perhaps the solution then is to open that organization to more than just financial services. There are plenty of horizontal technology organizations, certainly technologists from different types of companies have valuable information related to this crucial aspect of the job.
Byurcan
50%
50%
Byurcan,
User Rank: Author
10/7/2013 | 12:46:40 PM
re: Is Data Security Software Good Enough?
Yes, I've interviewed a couple of folks involved with the FS-ISAC over the past couple years, the banking industry is definitely mostly past the point of being wary of sharing sensitive information when it comes to cases of fighting cyberattacks
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
10/7/2013 | 10:16:08 AM
re: Is Data Security Software Good Enough?
The US financial industry is starting to do a good job when it comes to sharing cyber threats. The
Financial Services Information Sharing and Analysis Center
is a good starting point and almost all banks participate in it. Now that the banks are involved and they can see the benefits, the next step is to move to real-time threat information sharing. While it is helpful to see that a bank was attacked last week, security experts see real value in sharing information as threats are evolving so other banks can respond quickly to attacks that are actually happening at that moment in time.
KBurger
50%
50%
KBurger,
User Rank: Author
10/5/2013 | 2:41:00 PM
re: Is Data Security Software Good Enough?
Understandable but disturbing that security strategy seems to be driven largely by resource considerations vs the nature of the threats/risks themselves. I am sure that some of the software expenditures are basically way a straightforward way to respond to CEO/board inquiries: Are we secure/prepared? Easier to say, "yes, we just installed XYZ Software," than to try to change the culture. That's why Sussman's observations are on target. Another non-software challenge around security is cross-company collaboration. In banking, for example, a hurdle to dealing with (increasingly global) fraud/crime has been reluctance of banks to share information and work together to address these kinds of threats. As Sanabria says, no one wants to publicize that they have been breached. It's changing but a long way to go.
Register for Insurance & Technology Newsletters
White Papers
Current Issue
Slideshows
Video