IT NEVER CEASES to amaze me that companies know where every potted tree in the building is situated, yet have no idea what is planted in their computer systems. I'm talking about the enterprise databases — the most valuable asset a company has. The information contained in these databases will, if properly cared for, yield a bountiful sales harvest for many years. So why are they tended by hourly employees who have no stake in the company? Where is the oversight?
Corporate data should be the second-best guarded part of an organisation (after the employees). How much of a company's assets are locked up in these databases? A good rule of thumb is that each active customer record in a database is worth whatever the acquisition cost would be to replace that customer, usually $US20 and up depending on the industry.
Databases are not only valuable for producing revenue, but if mishandled, they can cause incalculable damage to a company. Yet very few companies have procedures in place that reflect this economic reality. Ask yourself who in your company has the authority to sign a check for $US10,000. Now, who can access any machine, database, software application or backup tape that has customer information on it? If they're not the same person or don't have at least the same pay grade, you have a problem.
I ran engineering and ops for Network Solutions in the late '90s. At the time, we functionally ran the domain name server (DNS) system for the National Science Foundation including most of the domain name system. On July 16, 1997, a junior-level administrator made a clerical error that caused near real-time global outages across the DNS system. Even though a software bug had originally caused the problem, the real damage occurred when the "man in the loop" failed and the employee transmitted a bad file that was automatically loaded by other servers. The end result was that a significant percentage of people around the world were unable to surf the Web or use e-mail. We fixed it quickly, but there were lingering problems for days and the company received a great deal of unfavourable media attention. Needless to say, we built accountability and redundancy into the human parts of the operational system to avoid similar problems in the future.
I learned a lot from that event, and I've generalised it into a rule: People cause almost all database glitches because they put the information into the system and they take it out again. To effectively control enterprise data, you need to control the people who process it. The most effective way to wield that control is through a measurable, unambiguous process that emphasises accountability.
Management of this process is the primary function of the chief security officer. It is the most effective way for CSOs to exert their authority across the entire company with minimal staffing expense.
The CSO must own this process because no other executive has both the technical knowledge and the objectivity to protect the shareholders' assets. The CSO should assist senior management in creating policy, work with the general counsel to ensure that any pertinent legal issues are addressed, conduct the audits and regularly report the results to the board of directors.
Putting a comprehensive security process in place to manage customer data is like fencing an orchard. It encourages orderly growth, clearly defines boundaries and keeps the product from getting plucked.
David H. Holtzman, former CTO of Network Solutions, also worked as a cryptographic analyst with the US Navy and an intelligence analyst at DEFSMAC.