Forrester has a recommendation for CISOs struggling with how to secure corporate data:
Stop trying so hard.
Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.
Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization.
Data-Centric Security Is More Important Than Ever--But Harder To Achieve
Today's regulatory climate forces IT security to comply with statutes such as Sarbanes-Oxley and HIPAA, industry-imposed security standards such as the PCI Data Security Standard (DSS), and an unending barrage of audit requests from key customers, banks, and auditors. From Boeing to Petrobras to The TJX Companies, daily newspaper headlines grimly announce the latest toxic data spills, causing increased customer scrutiny.
The pressure on IT security to secure enterprise data in all its forms has reached its breaking point. According to Forrester's Enterprise And SMB Security Survey, North America And Europe, Q3 2008, a huge majority of IT professionals--85 percent--worry about the loss of intellectual property. But IT security staffs are stretched thin and are increasingly challenged to solve an essentially unbounded problem. Organizations today face:
-- Massively increased conduits for information flow. Fifteen years ago, the most common Internet connection was the T1. Today, it is the OC-12--two orders of magnitude more bandwidth. Increasingly, mainstream technologies like virtualization are redrawing the lines between operating systems and the hardware they run on. And the adoption of non-owned IT assets continues apace. The confluence of outsourcing, SaaS, and unmanaged consumer gadgets ensures that IT security's grip on information has never been more tenuous.
-- Consumerization of IT moves data beyond the reach of the CISO. The increased use of Web 2.0 technologies such as blogs, social networking, and consumer-grade instant messaging increases the speed with which information moves outside of the enterprise. [Editor's note: See also Facebook, Twitter, LinkedIn: Security Pros Warm to Web 2.0.] Worse, the pace of change of consumer gear tempts employees to ditch stodgy corporate hardware and bring their own gear to work--creating even more data worries.
-- Too many vendor point products. In considering solutions for securing data, enterprise CISOs are confronted with the tyranny of choice. Lost a laptop lately? Full-disk encryption will fix that. Employees promiscuously passing around payment card records? A dab of data loss prevention (DLP) will surely do the trick. The surfeit of solutions to narrowly defined technical problems ensures that the wish list only gets longer.