Classifying Information

Over the years, Microsoft has sought to increase protection of its source code. But sometimes it has done too much. "We found a lot of places where we had too many controls around code we'll actually give away for free on TechNet," says DuBois.

The right level of protection can be difficult to pinpoint, however. Too often organizations apply the same standards of security for everything. That leaves some less valuable data overprotected and some more critical IP relatively exposed. Not only that, says Borg, but when CIOs think about what to defend first, they'll often think of the company's most-critical systems, like ERP or customer databases. However, he adds, "that's usually not where the liabilities are created, because that's not where the company creates the most value".

Motorola has developed what it calls an enablement zone environment, which segments the network, allowing groups of systems and applications to share a set of targeted security controls. In this way, security controls are aligned with the risk to the information the systems contain, as well as with relevant regulations or contractual terms. The most intrusive security solutions — including digital rights management, virtualization of content (to prevent its propagation outside the controlled environment) and role-based identity management — "are only warranted on breakthroughs", Boni says. He advocates revisiting the classifications often. "If eternal vigilance is the price of freedom," says Boni, paraphrasing Thomas Jefferson, "continuous monitoring and preparation to respond quickly is the cost associated with global digital commerce."