Issue link: https://securitytechnologyexecutive.epubxp.com/i/107544
SAGE CONVERSATIONS secrets," Mislock said. "If you relegate this to just one area of the company, it will not get done." You need managers who are educated in what to look for, because they are the first people who will notice red flags and unusual behavior. • Identify the crown jewels and protect them first: This was outlined earlier in this article. • Establish a dedicated investigative team: The group should be aware of all threat analysis, and investigations should not be performed on an ad-hoc basis. • E d uc ate yo u r e m p l oye e s: Establish a corporate or global-level education program. "There has to be a steady drip of education and awareness training of what is a trade secret and how the organization protects them," Mislock said. • Create a written policy: The policy should present an overview of trade secret protection requirements, and it should include crucial information such as: the definition of a trade secret, including how it is classified in the organization; why the policy is important to the organization; employee responsibilities (both incoming and outgoing); visitor management practices; and audit and compliance procedures — at a bare minimum. Most importantly, Mislock said, it should be clearly stated that employee compliance with the policy is a condition of employment. • Deploy IT protection tools: The FBI warns of "international spies and hackers probing online security systems" as a major vehicle for trade secret theft. There is no 'silver bullet' IT tool, but data encryption is a must, Mislock said. Protecting your company from the risk of trade secret theft is perhaps one of the most difficult tasks you can face as a security executive. All the experts warn that this is a constantly evolving process; thus, your continued vigilance is paramount to keeping it at bay. ❚ Paul Rothman is managing editor of Security Technology Executive magazine. Connect with him on Linkedin at http://bit.ly/PaulRothmanSTE. www.SecurityInfoWatch.com By William Plante Disseminating Data How to create a security information architecture in your organization T oday's CSOs are faced with increasing challenges, including budget optimization, improved organizational alignment, enterprise security architectures that use virtualized environments, and the cloud. While data has always been a fundamental security concern, today's technology permits us to integrate and correlate disparate data under a common operating picture to provide relevant business information. This notion of a common operating platform is relatively new, and CSOs should be demanding this from their systems and operations groups. Designing and implementing a security information architecture aligned to the business goals and objectives should be part of the CSO's mandate. To form a security information architecture, you must understand the business context — such as company mission, future goals, financial performance indicators and organizational culture and behavior. The CSO must have a firm grasp of the business context that their security operations enable, including obtaining baseline information for all business, security system and data structures, and risk assessments. Once this is done, you can begin to develop the security information architecture and data integration program. In general, developing the concept involves a variety of people, such as information technology, end-users, security and several concept/strategy whiteboard sessions. It is important to see the broad view at this point — don't get bogged down in the details. Here are some guiding principles: • Imagination. Imagine how you would like to see critical processes and systems interact with each other regardless of technical constraints. • Questions. Innovation is accomplished, in part, by bringing a variety of perspectives to focus on one issue. Clever innovations are often born from ideas of line staff tasked to use a system designed one way but used it to fulfill another goal. • Shift to commercial off-the-shelf (COTS) products. The key is providing one common view using non-proprietary technology. • Secure the core. The notion here is to integrate and execute under a common platform the essential (core) security services first. Using a data integration scheme within your own domain should give you the credibility with others. • Benchmark. Take note of what others have successfully accomplished. Once the concept is outlined, you need an execution plan — typically in 18-, 24and 36-month increments. A typical strategy includes: 1. The Master Plan – the execution strategy through actual implementation. It must include routine quality assurance, performance management and KPIs. 2. Proof Point – design the architecture with just enough functionality and integration to prove the concept works. 3. Workflows – the creation of standardized workflows provide quality measurements against performance. This is a well-established notion in the Six Sigma world and should be part of this program. 4. Value and Measures - demonstrate value to the company's mission and measure business value from the security service. Designing a system that helps promote service value must be created within the business context. ❚ On March 4-5 in Seattle, The Great Conversation will feature thought leadership in security and comprehensive case studies involving the integration of current and emerging technologies (see page 33 for more details). William Plante is Director of Professional Services at Aronson Security Group, which hosts the event. For more information, please visit www.the-sage-group.com/greatconversation. SECURITY TECHNOLOGY EXECUTIVE • January/February 2013 23