Security Manager's Journal: Getting a handle on the data

Improved data handling should be an easy win for our manager, who is especially excited about IP protection.

Three months into my new job, I've had a chance to assess the landscape and establish some priorities. No. 1 will be the way we handle data.

Trouble Ticket

At issue: When a security manager takes on a new job, he has to assess the landscape and set priorities.

Action plan: The first big push will involve data handling, because the CFO is behind the initiative -- and because data-handling projects involve the protection of the company's intellectual property, which is always a good idea.

There's a very practical reason for this. Before I arrived, the company had spent a lot of money on a third-party data assessment. The findings were startling, and the CFO expects remediation in short order. I want to capitalize on that.

But at least one aspect of data handling is near and dear to the heart of any security professional: the protection of intellectual property. The other goals of our project to improve data handling -- data classification and data retention -- are of more interest to Legal; by including them, I can get some traction and some valuable collaboration time with that department. Some wins there should serve the juicier IP protection aspect well.

I will recommend to Legal that we come up with two or three data classifications, such as "Confidential and Restricted" or "Confidential and Special Handling." Once Legal and some other key business units agree on the classifications, we can create some policies and processes so that workers can determine the classification of data and mark or protect it accordingly.

As for data retention, I will work closely with our internal counsel and, most likely, a firm with experience in retention law. Various federal and state laws require companies to keep certain documents for specified time periods. We will want to develop a policy and a retention schedule for all the categories of documents that we are required to keep. Next, I will add information on these retention policies to my security awareness training program. And we'll need to ensure that we have a place for storing retained data that can accommodate everything from e-mail messages and attachments to Oracle Financials and PeopleSoft HR documents.

ROI for IP

With the program to protect our intellectual property, there is a chance that I will be able to expand my staff and security infrastructure. That's because IP protection is one of the few technology initiatives that has the potential to generate real return on investment. Say that an employee who is planning to leave the company e-mails himself the source code for one of our next-generation products before his departure. If he is successful and isn't detected in time, he could sell that code or use it himself in ways that would directly and negatively affect our future revenue.

But there are certain tools that can detect such activity, giving us a chance to stop potential thieves before they can abscond with the virtual goods. I hope to get the go-ahead -- and the budget -- to deploy them.

To be specific, I am bullish on data leak protection software. I used it at my previous company to detect when intellectual property inadvertently or intentionally left the company network.

To my mind, data leak protection software pays for itself. I also like digital rights management as a way to prevent copying that can result in our IP ending up in the wrong hands.

Peer Connection

Join In!

To discuss security with fellow Computerworld readers, go to

I have told our legal counsel about the potential savings we could realize with such tools, and he is interested in moving forward with the effort. I'll keep evangelizing for this program through focus groups and other forums. I'm keeping my fingers crossed that I will be allowed to procure the appropriate resources to make this a successful initiative.

This week's journal was written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata protection

More about eSoftetworkOraclePeopleSoftYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts