18 CIO Digest July 2010
COVER STORY
By Patrick E. Spencer
The same can be said of the security and compliance landscape today. The threats of several years ago—whether phishing, malware and viruses, data loss, or compliancy—have trajectories that extend to today’s security landscape. But just as Dorothy exclaims to her dog Toto that they are “not in Kansas anymore” upon arriving in the Land of Oz, IT leaders are quick to point out that the security landscape today is much more imposing and threatening than a few years ago. Threats are growing at alarming rates, and the permutations are creating much more virulent and furtive modes of attack. The security and compliance solutions of a few years ago
are becoming quickly outdated—and, more
This article will investigate the changes that have taken place in the areas of secu-rity and compliance and will look at several levers that are driving this change. The lat-
compliancy challenges; (2) the alignment of security strategies with business require-ments; (3) the growing focus on informa-tion and not just infrastructure; and (4) next-generation threat management chal-lenges such as social media and cloud com-puting. The article also includes insights and recommendations from three global information security leaders: Eddie Borrero
When Dorothy and her dog Toto are depos-ited in the Land of Oz in L. Frank Baum’s widely acclaimed children’s novel, The Wonderful Wizard of Oz, and the even
The Wizard of Oz, Dorothy soon realizes that she is no longer in Kansas. The landscape, including characters and threats, has dramatically changed. Many of the characters in the Land of Oz resem-ble the characters found back on the Kansas farm of Dorothy’s aunt and uncle. However, they are much more imposing and, in the case of the Wicked Witch of the West, much more threatening.
“Toto, We’re Not in Kansas Anymore”
The Changing
Security Landscape
symantec.com/ciodigest 19
from Robert Half International, Yuval Illuz from ECI Telecom and Kim Sassaman from Presbyterian Healthcare Services.
“We’re off to achieve compliance”
-cial crisis and the recent healthcare initiatives in the United States have
-tions and tighter cost constraints. A recent study by the IT Policy Compli-ance Group shows that organizations with the least amount of downtime and data loss are those that adhere to IT policy and management best practices.1 That is the case with the three organizations interviewed for this article; each is putting more focus on security and compliance.
For example, despite additional regulatory requirements and tighter
budgets, the technology roadmap for ECI’s Illuz hasn’t changed. “The
slower path to implementation for certain initiatives,” he reports. And even though ECI is privately held, compliance with industry standards and regulations remains important. “While SOX (Sarbanes-Oxley) com-pliance is not a requisite for us, we made a decision when the company went private in 2007 to maintain SOX compliance,” he explains. He and his team also adhere to other standards such as the Information Technology Infrastructure Library (ITIL) and ISO27001.
As part of their larger compliancy program, Illuz and his team are using Symantec Security Information Man-ager to provide a single panel view across all of the company’s security tools and Symantec Control Compli-
ance Suite to manage and enforce compliance against a number of external and internal requirements. “Security Information Manager is the ‘conductor of the orchestra’ for us,” Illuz says. “It helps us manage all of
tools—from one view. We’re just getting started with Control Compliance Suite, but we anticipate that it will enhance our security posture while decreasing the time we spend running reports.”
The changes in U.S. healthcare over the past year created a num-ber of new compliance challenges for Presbyterian Healthcare Ser-vices’ Sassaman. “Until recently, outside of HIPAA (Health Insur-ance Portability and Accountability
PodcastCheck out the Executive Spotlight Podcast with HBR’s Angelia Herrin at go.symantec.com/ herrin-podcast.
18 CIO Digest July 2010
COVER STORY
By Patrick E. Spencer
The same can be said of the security and compliance landscape today. The threats of several years ago—whether phishing, malware and viruses, data loss, or compliancy—have trajectories that extend to today’s security landscape. But just as Dorothy exclaims to her dog Toto that they are “not in Kansas anymore” upon arriving in the Land of Oz, IT leaders are quick to point out that the security landscape today is much more imposing and threatening than a few years ago. Threats are growing at alarming rates, and the permutations are creating much more virulent and furtive modes of attack. The security and compliance solutions of a few years ago
are becoming quickly outdated—and, more
This article will investigate the changes that have taken place in the areas of secu-rity and compliance and will look at several levers that are driving this change. The lat-
compliancy challenges; (2) the alignment of security strategies with business require-ments; (3) the growing focus on informa-tion and not just infrastructure; and (4) next-generation threat management chal-lenges such as social media and cloud com-puting. The article also includes insights and recommendations from three global information security leaders: Eddie Borrero
When Dorothy and her dog Toto are depos-ited in the Land of Oz in L. Frank Baum’s widely acclaimed children’s novel, The Wonderful Wizard of Oz, and the even
The Wizard of Oz, Dorothy soon realizes that she is no longer in Kansas. The landscape, including characters and threats, has dramatically changed. Many of the characters in the Land of Oz resem-ble the characters found back on the Kansas farm of Dorothy’s aunt and uncle. However, they are much more imposing and, in the case of the Wicked Witch of the West, much more threatening.
“Toto, We’re Not in Kansas Anymore”
The Changing
Security Landscape
symantec.com/ciodigest 19
from Robert Half International, Yuval Illuz from ECI Telecom and Kim Sassaman from Presbyterian Healthcare Services.
“We’re off to achieve compliance”
-cial crisis and the recent healthcare initiatives in the United States have
-tions and tighter cost constraints. A recent study by the IT Policy Compli-ance Group shows that organizations with the least amount of downtime and data loss are those that adhere to IT policy and management best practices.1 That is the case with the three organizations interviewed for this article; each is putting more focus on security and compliance.
For example, despite additional regulatory requirements and tighter
budgets, the technology roadmap for ECI’s Illuz hasn’t changed. “The
slower path to implementation for certain initiatives,” he reports. And even though ECI is privately held, compliance with industry standards and regulations remains important. “While SOX (Sarbanes-Oxley) com-pliance is not a requisite for us, we made a decision when the company went private in 2007 to maintain SOX compliance,” he explains. He and his team also adhere to other standards such as the Information Technology Infrastructure Library (ITIL) and ISO27001.
As part of their larger compliancy program, Illuz and his team are using Symantec Security Information Man-ager to provide a single panel view across all of the company’s security tools and Symantec Control Compli-
ance Suite to manage and enforce compliance against a number of external and internal requirements. “Security Information Manager is the ‘conductor of the orchestra’ for us,” Illuz says. “It helps us manage all of
tools—from one view. We’re just getting started with Control Compliance Suite, but we anticipate that it will enhance our security posture while decreasing the time we spend running reports.”
The changes in U.S. healthcare over the past year created a num-ber of new compliance challenges for Presbyterian Healthcare Ser-vices’ Sassaman. “Until recently, outside of HIPAA (Health Insur-ance Portability and Accountability
PodcastCheck out the Executive Spotlight Podcast with HBR’s Angelia Herrin at go.symantec.com/ herrin-podcast.
Act), healthcare hasn’t had to deal with the breadth of regulatory requirements in other industries such as IT in financial services,” he says. “However, this changed with the Payment Card Industry (PCI)
Data Security Standard and the privacy and security requirements that are part of the
HITECH (Health Information Tech-nology for Economic and Clinical Health) Act. Healthcare organiza-tions are now under the compli-ance microscope.”
Like ECI’s Illuz, Sassaman and his team have deployed Symantec Security Information Manager for centralized security monitoring and management and Symantec Control Compliance Suite for IT policy man-agement and compliance. Similarly, their security management system is also based on ISO27001.
As Robert Half International is a publicly traded company, Borrero and his team must comply with a number of different regulations. They’ve addressed three basic compliance initiatives over the past several years: SOX, PCI, and HIPAA. “PCI wasn’t at the top of our radar, as we’re a tier-four merchant,” he
says. “But we collaborated with our business counterparts to quickly address it, identifying where credit card information was being used, how we were processing cards, and where the data was being stored. We then developed a program to achieve compliance.” And just as Illuz and Sassaman use ISO27001 as the baseline for measuring the success of their security programs, Borrero and his team do as well.
“There’s no place like business-IT alignment”Alignment of IT and business remains a priority for business executives and IT leaders. Indeed,
CO
VE
R S
TOR
Y
20 CIO Digest July 2010
For the entire “Unlocking the Value of the Information
Economy” report from Harvard Business Review
Analytic Services, visitgo.symantec.com/hbr.
Upon his arrival, CIO Sean Perry was given the charge
to run IT as a business. He leveraged business process
optimization to restructure the IT team to align with the
company’s different businesses. Underneath this larger umbrel-
la, Eddie Borrero’s assignment was to enhance the company’s
long-term, strategic security and compliance plan. To identify
the highest priorities, he engaged Protiviti Inc., a Robert Half
International global business consulting and internal audit firm,
to perform an IT risk assessment using ISO27001 as the basis.
Data loss prevention was identified as one priority.
Protecting proprietary dataWith a largely silo-based security and compliance infrastructure,
Borrero established technology standardization and vendor
consolidation as pivotal selection criteria. And as Robert Half In-
ternational was already a Symantec customer, relying on various
storage management—including email archiving and e-discov-
ery—and endpoint security solutions, Borrero didn’t need to
look far for a data loss prevention solution. Borrero and his team
conducted a proof of concept for Symantec Data Loss Prevention,
and both Borrero and his team, as well as Senior Vice President of
Operational Support Ken Gitlin, one of the executive sponsors for
the project, were convinced that it was the right choice.
Over a period of six months, Borrero and his team rolled
out Data Loss Prevention for endpoints and the network,
and they are in the process of extending it to cover storage
as well. They worked with the different business owners to
define policies around discovery, monitoring, management,
and enforcement. The solution improved the company’s IT
risk posture. “We have a comprehensive vulnerability index
that reports on nearly everything, mapping applications to
specific business processes,” Borrero says.
The data loss prevention solution is also generating hard
business value results. “Because we are now able to enforce
certain policies, the time we spend on e-discovery has been
reduced by more than 80 percent,” Borrero explains.
Just getting startedBorrero and his team are in the process of upgrading from
Symantec AntiVirus to Symantec Endpoint Protection for
endpoint security to gain broader functionality and enhanced
system performance through its smaller footprint. They also
are preparing to roll out Symantec Web Gateway and currently
use Symantec Enterprise Vault Discovery Accelerator for email
e-discovery. The latter streamlined the discovery process,
which saves Robert Half International hundreds of hours in
staff time annually.
At the end of the day, Borrero and his team ask them-
selves three questions when they work on security and
compliance initiatives: (1) how are they mitigating risk and
improving the IT risk posture of the company; (2) how are
they enabling the business; and (3) how are they saving the
company money. “If we get these right, then we are on the
right track,” he concludes.
Running Security and Compliance as a Business
s
ROBERT HALF INTERNATIONAL
symantec.com/ciodigest 21
business process optimization and alignment of business requirements and technology priorities were given top ranking by both CEOs and IT leaders in the recent report, “Un-locking the Value of the Information Economy,” published by the Harvard Business Review (HBR).2 One would infer that that there is close func-tional alignment.
However, this isn’t the case ac-cording to the findings of the HBR report. Sixty percent of IT leaders indicated that business require-ments and technology priorities need closer alignment, whereas less than 40 percent of CEOs disagreed. The report also reveals that IT leaders are involved only 51 percent of the time in strate-gic decision making. And this is translating into budget allocation:
23 percent of CEOs believe invest-ing in IT is critical to growing their businesses.
Proof of business and IT align-ment should be found in areas such as business process collaboration. But this isn’t the case. Forty-four percent of respondents in the HBR report indicate they do not have cross-functional IT governance models, and moreover IT leaders are involved in strategic decision-making only 51 percent of the time. “CEOs and IT leaders agree that business processes need improve-ment,” says Angelia Herrin, director of Research and Special Projects at HBR who oversaw the report’s compilation. “But they have differ-ent ideas in terms of what it means once you ‘get underneath the hood’ to fix the problem.”
Founded: 1948
Headquarters: Menlo Park, California
Locations: 400 locations worldwide
Employees: 9,900
Website: www.rhi.comSecurity Team: Staff is broken into three teams: (1) risk and compliance; (2) engi-neering focused on traditional security architecture and infrastructure; and (3) operations tasked with security monitor-ing, service desk, e-discovery, compliance, and other associated functions.
Business Overview: World’s leading specialized staffing service and the first to provide placement services for account-ing, finance, and IT professionals. Parent company of Protiviti Inc., a global business consulting and internal audit firm.
Symantec Security and Compliance Solutions:> Symantec Endpoint Protection
> Symantec Data Loss Prevention
> Symantec Web Gateway
> Symantec Enterprise Vault
> Symantec Consulting Services
“We have a comprehensive vulnerability index that reports on nearly every-thing, mapping applications to specific business processes.”
– Eddie Borrero, Director of Information Security,
Robert Half International
PodcastCheck out the Executive Spotlight Podcast with Eddie Borrero at go.symantec.com/borrero-podcast.
s
Robert Half International
Mic
ha
el
Br
un
et
to
22 CIO Digest July 2010
CO
VE
R S
TOR
Y
Each of the security heads inter-viewed for this article has been able to achieve business and IT alignment by engaging business owners in stra-tegic decision making. When Robert Half International’s Borrero was named to oversee information secu-rity, CIO Sean Perry charged him to develop a next-generation security and risk management program.
Borrero didn’t look very far before finding an organization to get the process started; he engaged Protiviti Inc., Robert Half Inter-national’s global consulting and internal audit firm, to conduct an ISO27001 risk assessment and provide corresponding recom-mendations. “The audit provided us with a framework to engage the business and to get our C-level executives involved in security and compliance discussions,” Borrero says. Due to the results of the ef-fort, an Information Privacy and Protection Steering Committee—
consisting of representatives from IT and various business executives—is now charged with driving the larger security and compliance strategy for the company. “We manage not only our security and compliance initiatives but all of our IT projects from a raw portfolio perspective,” Borrero notes. “A business owner is involved in every IT project, from initial ap-proval to go live. IT—and specifi-
cally security and compliance—is
really a part of our business.”When Illuz was appointed to
lead information security and
compliance at ECI, there was little interaction with business owners. “We had little cross-functional alignment, and secu-rity and compliance was done in silos,” he remembers. “Some-times security programs weren’t even driven at the global level but at individual offices.” This was one of the first initiatives he drove: global consolidation of security and compliance.
The next step was standard-ization. “As we move from infra-structure-based security solutions to information-based security solu-tions, a convergence of technologies is taking place,” Illuz says. How individual solutions behave within an integrated stack and what the long-term roadmap looks like is the central consideration for Illuz: “The ability to add layers of security as needed—whether it is messaging security, data loss prevention, or compliance—is what has guided our acquisition strategy.”
Sassaman was initially en-gaged at Presbyterian Healthcare Services as a consultant and was tasked to look at security and
7 Tips on Building a Comprehesive Security ProgramThe following are based on recommendations gleaned from the interviews with Borrero, Illuz, and Sassaman.
Seek providers focused on business requirements and technology chal-1. lenges, not individual product features.Look for an integrated set of solutions that include a long-term roadmap.2. Standardize security and compliance infrastructure as much as possible 3. to gain operational efficiencies and value-add.Select security and compliance solutions focused on information—and 4. eventually identity and interactions.Build cross-functional linkages and governance models to ensure buy-in 5. and collaboration from relevant business owners.Establish soft (e.g., improved IT risk posture, etc.) and hard (e.g., reduced 6. cost, improved staff productivity, etc.) business value metrics that are communicated pre- and post-implementation.Technology is not an end-all solution for meeting security and compli-7. ance requirements; an effective strategy also includes processes and people.
s
Left to right: Andre Lewis, Manager, Information Security; Eddie Borrero, Director, Information Security; and Kuo Chan Huang, Manager, Security Infrastructure, Robert Half International
Mic
ha
el
Br
un
et
to
symantec.com/ciodigest 23
compliance audits and to make corresponding technology and process recommendations. Like ECI, Presbyterian Healthcare Services didn’t have an integrated security program; it had a number of networked silos with little or no business alignment.
Working in concert with the CIO, Donna Agnew, Sassaman restructured his team for better alignment with the business and formed I-SPOT, an information security oversight team that is chaired by Agnew and the chief compliance officer and is com-prised of representatives from across the business. “We have great visibility as a result of I-SPOT and our realignment,” Sassaman notes. “Indeed, because of its success, we now have representation on the Compliance and Audit Committee on which several members of our board of directors sit.”
The “information brick road”Despite the rapidly changing threat landscape, security and compliance technologies, and strategies have not remained stationary; they are evolving to proactively address the new and ever-changing surroundings. And while security at the infrastructure layer remains important, the focus has evolved to the information layer. Locking down the infra-structure is no longer enough—or even an option. Information is everywhere: laptops and desktops, mobile devices, portable memory storage, data center servers, and storage systems. And it is being accessed from any number of loca-tions: from workplaces, to coffee shops and hotels, to ski resorts and beaches, to airplanes. “We’ve seen significant proliferation in end-points and the ways information is being accessed in just the past year
or two, and this trend is only going to increase,” ECI’s Illuz notes.
CEOs and IT leaders both agree that information is an essential business ingredient. For example, the HBR report found that 54 per-cent of CEOs strongly agree that information is a key strategic as-set. “Regardless of what business you’re in, information is your most vital asset,” says Herrin. “You can-not run your business without it.”
One thus should find a com-parable ratio placing a premium on protecting that information; however, only 21 percent strongly agree that investing in IT is critical to growth. Yet at the same time, less than half of CEOs feel their companies have adequate security controls in place. This is corrobo-rated by recent findings by the Center for Strategic & Interna-tional Studies: 66 percent of firms it surveyed reduced their security
After completing four years of service in the United
States Navy, working in the reactor room of an air-
craft carrier, Eddie Borrero took a job in construc-
tion. And even though he quickly moved into a supervisory
role, he knew that construction was not a long-term career
objective. He applied and was accepted to begin work on
an undergraduate degree at a college in the San Francisco
Bay Area.
One of the first things he did was purchase a computer
to help with his school work. “I fell in love with the com-
puter and had torn it apart within the first week of school
to figure out how it worked,” Borrero recalls. “I wanted
to know everything about it.” However, as the school had
limited offerings around computer science, Borrero soon
transferred to Saint Mary’s College of California, where he
completed a degree in business administration. He cur-
rently is working on a master’s in business administration
at John F. Kennedy University.
Some Christmas cheerWhile Borrero was still working on his degree at Saint
Mary’s College, attended the holiday party for his wife’s
company and met a vice president of a consulting organi-
zation. The vice president was impressed with Borrero’s
passion and invited him to interview for a position. “They
hired me as a consultant,” he says. “It
was a great opportunity to pair what I
was learning in class with real-world
challenges.”
Borrero eventually left the consult-
ing company and ended up as an IT
infrastructure manager in 1998. How-
ever, as he had gained a background
and interest in security throughout his
career, he accepted a position at Intuit
as a lead security engineer. He joined
Robert Half International in 2005 and was eventually
charged by CIO Sean Perry to oversee Global Information
Security and Compliance.
Is there an award winner in the room?It took Borrero several career paths before he found his
true passion. However, once he found it, he hasn’t let up.
Indeed, Robert Half International recognized him as one of
the five Chairman’s Circle winners through the company’s
annual Circle of Excellence Awards. “I am normally as-
signed the task of compiling the results,” Borrero quips.
“When Sean told me that it had been reassigned, I knew
something was up. It was truly a real honor and a big
surprise.”
For the Passion of Security
s
EDDIE BORRERO
Mic
ha
el
Br
un
et
to
24 CIO Digest July 2010
CO
VE
R S
TOR
Y
Upon his arrival at ECI in 2009, Yuval Illuz discov-
ered a highly distributed security and compliance
infrastructure. Management of these disparate, point
product solutions was highly inefficient. The different pieces
didn’t integrate, and the ECI team often had instances where
the products were in collusion with each other. “Support was
an often complicated, complex process,” Illuz says. “It was
difficult to ascertain the root cause of a problem and the
support teams from each of the different security vendors
would point the finger of blame at each other.” The situation
was further aggravated by the fact that a standard security
and compliance infrastructure did not exist across all of the
company’s offices. “One of my primary goals was to build a
cross-functional security team and equipped it with the tools
needed to understand what was happening across the entire
organization,” Illuz summarizes.
Starting point: data loss preventionAfter completing an assessment of the security and
compliance infrastructure, Illuz and his team made the
decision to reach a standard global infrastructure and
to consolidate the different toolsets down from another
technology provider. “It wasn’t an easy decision to move
away from some of these technology solutions,” Illuz
recalls, “but it was the right choice.”
After looking at solutions, including product road-
maps, Illuz and his team settled on Symantec. “I had
confidence that Symantec would deliver on our business
requirements,” Illuz says. “They had the most compre-
hensive product portfolio and a strategic, long-term
roadmap that aligned with our business.”
Illuz and his team embarked on working with Symantec
to migrate their existing security and compliance infra-
structure pieces to Symantec technology solutions. With
heavy investments in research and development, proprie-
tary information is a critical asset for ECI. As a result, rather
than starting with the security infrastructure, Illuz decided
to begin by addressing the biggest security and compliance
gap—data loss prevention. He and his team, with help from
Symantec Consulting Services, rolled out Symantec Data
Loss Prevention, initially for just storage and the network
but subsequently to endpoints. For the initial deployment,
they turned on the Discover and Monitor modules and are
in the process of adding the Manage and Prevent modules
for certain users and data types based on defined policies.
“Thanks to Symantec Data Loss Prevention, we are now
proactive in protecting our proprietary information,” Illuz
says. “Our data is much safer now.”
Benefits go beyond reduced IT risk. For example, ECI’s IT
staff previously spent an average of 210 hours each month
analyzing and evaluating more than 300 alerts for potential
data loss. This is no longer necessary with Data Loss Preven-
tion, equating to a three-year labor productivity savings of
US$224,000.
Comprehensive endpoint and messaging securityConcurrent with the data loss prevention rollout, Illuz and
his team opted to begin implementing different components
from Symantec Protection Suite Enterprise Edition. For end-
point security, ECI had relied on a disparate set of endpoint
security solutions from another technology provider. “We
needed a more comprehensive and integrated solution and
Symantec Protection Suite met our requirements,” Illuz says.
With the help of Symantec Consulting Services, the ECI team
migrated all of its clients and data center servers to Symantec
Endpoint Protection and added Symantec Network Access
Control for enhanced protection. They also extended Syman-
tec Endpoint Encryption to all clients.
Seeking to reduce incoming spam and false positives, Illuz
and his team migrated their messaging security infrastructure
from a prior solution to three Symantec Brightmail Gate-
way appliances and one Symantec Brightmail Gateway
virtual machine. “We sought productivity gains,” Illuz notes.
“IT staff was spending too much time remediating infected cli-
ents and servers, and end users were incurring downtime. The
migration was one of the easiest IT projects I’ve ever managed;
there was no disruption of email. In addition, the integration
with Data Loss Prevention was straightforward.”For backup and recovery of clients, the ECI team is in
the process of replacing a previous solution with Syman-tec Backup Exec System Recovery. The current backup procedure is a manual process that takes an average of six hours. Once Symantec Backup Exec System Recovery, which is part of Symantec Protection Suite, is in place, recovery time will be slashed to about 10 minutes. Illuz and his team also recently added Symantec IM Manager for scanning instant messaging for viruses and malware along with enforcing outbound content policies.
Next steps: security and compliance managementWith the above pieces in place, the ECI team collaborated
with Symantec Consulting Services to add Symantec Security
Information Manager and has Symantec Control Compliance
Suite on the deployment roadmap for later in the summer.
“We’ve assembled a number of pieces to the security puzzle,
and Security Information Manager brings it all together,” Il-
luz says. Enhanced security management will drive in excess
of $20,000 in productivity improvements over a period of
two and a half years.
“Information is at the core of our business, and it is our
obligation to protect it,” he concludes. “The loss of intellectual
property could literally mean millions of dollars in lost revenue
or millions of dollars in litigation. We’ve taken a compre-
hensive approach and have dramatically reduced our IT risk
exposure while driving substantial operational efficiencies.”
It’s Comprehensive—and It’s Integrated
s
ECI TELECOM
symantec.com/ciodigest 25
spend in 2009, including 27 per-cent reporting reductions in excess of 15 percent.3
Information is critical when it comes to healthcare; it liter-ally can mean the difference between life and death. However, before he could begin focusing on information—at rest and in motion—Presbyterian Healthcare Services’ Sassaman had to address fundamental security infrastruc-ture requirements. He began by implementing Symantec Security Information Manager to provide consolidated management and reporting across the entirety of
Presbyterian Healthcare Services’ security infrastructure.
Sassaman and his team then turned their attention to informa-tion. “We wanted to understand where the information resided, how it was being used, and who was accessing it,” he says. And Sassaman sought a solution with a long-term roadmap that would ad-dress information sharing not only within Presbyterian Healthcare Services but with other healthcare organizations. The team ultimately settled on Symantec Data Loss Prevention. “We call it our ‘data bloodhound’,” he jokes.
Founded: 1961
Headquarters: Petah Tikva, Israel
Locations: Offices in over 35 countries worldwide
Employees: Approximately 2,500
Website: www.ecitele.com Security Team: 2 staff, plus outsourcing team
Business Overview: Leading supplier of telecom networking infrastructure for service provider networks worldwide; offerings are platforms and services that enable key applications such as business services, voice, video, and wireless backhaul.
Symantec Security and Compliance Solutions:> Symantec Protection Suite Enterprise
Edition
Components Deployed: Endpoint
Protection, Endpoint Encryption,
Brightmail Gateway, Backup Exec
System Recovery
> Symantec Data Loss Prevention
> Symantec Control Compliance Suite
> Symantec Security Information Manager
> Symantec Enterprise Vault
> Symantec IM Manager
> Symantec Consulting Services
“The loss of intellectual property could literally mean millions of dollars in lost revenue or millions of dollars in litigation.”
– Yuval Illuz, Head of Information Security, ECI
Podcast
VideoYuval Illuz discusses the comprehensive security and compliance program he and his team have rolled out at go.symantec.com/illuz-video.
Check out the Executive Spotlight Podcast with Yuval Illuz at go.symantec.com/illuz-podcast.
s
ECI Telecom
ra
Mi z
ar
ne
ga
r
“Security Information Manager is the ‘conductor of the orchestra’ for us.”
– Yuval Illuz, Head of Information Security, ECI
26 CIO Digest July 2010
CO
VE
R S
TOR
Y
Information is intellectual property for ECI. “We develop a lot of source and patent code that is the lifeblood of the company,” Illuz ex-plains. “It is our obligation to protect it.” He has taken a holistic approach in protecting and managing informa-tion, and standardization has served as the methodological underpinning. In particular, the ability to leverage “layered” security and compli-ance solutions with an underlying technology infrastructure was the primary reason for his selection of Symantec.
With information in the fore-ground, he and his team elected to
address three solution areas: end-point security, messaging security, and data loss prevention. “The in-tegrated architectures of Symantec Protection Suite, Network Access Control, Brightmail Gateway, and Data Loss Prevention create unique opportunities for us,” Illuz observes. “The integrated stack allows us to monitor, manage, and enforce information policies across all of our disparate endpoints, data stores, and network.”
Robert Half International’s business is all about information; specifically, proprietary data. With the results of the IT risk assess-
ment in hand, Borrero embarked on developing a data loss prevention strategy that would address short- and long-term requirements. “When we did the proof of concept for Symantec Data Loss Prevention, few on the team believed that we could accurately identify information in a very granular manner without impacting the business,” he quips. “But we did.”
Using exact data matching and index data matching to define poli-cies for discovery, monitoring, man-agement, and enforcement, Robert Half International and Protiviti teams now have a comprehensive understanding of where and how data is being used. “We’ve gone from a very manual, reactive data loss prevention posture to a proactive, automated approach,” he says.
Looking beyond the “Emerald City”The threat management horizon shows that additional storm clouds are forming. Criminal activity will continue to prompt evolution in se-curity and compliance technologies.
Theoretical + Practical = Success
Evolution and development of a professional career is not something that happens by ac-cident. It typically requires careful planning and
execution. This is precisely the approach Yuval Illuz has taken with his career. He determined very early in his academic stud-ies that security and compliance were areas of real interest to him. “I constantly sought opportunities to combine my academic stud-ies with my professional responsibilities,” he says. “This gave me the ability to take the theoretical and turn it into practical action.”
Hands-on roles leads to managementIlluz, who holds a bachelor’s degree in com-puter science and management from the Open University in Israel and a master’s degree in management of information technology from
Clark University, and has enriched the degrees with several security and compliance certifications, began his career in a number of hands-on IT roles. “I wanted to ‘get my hands dirty’ by touching as many IT functions as pos-
sible,” he remembers. “Responsibilities involving security and compliance today require a broad understanding of nearly every aspect of IT. Without this comprehensive foundation, it is very difficult to catch up.”
Illuz began his security and compliance career as a security administrator at El Al Airlines and moved into similar positions with expanded responsibilities at NetVision Inc., one of the largest ISP providers in Israel, and Strauss Group, a leading food industry manufacturer based in Israel. “I had an opportunity to gain valuable experience and served as the information security manager during my last two years at Strauss Group,” Illuz says.
Experience and education coalesceIn early 2009, ECI’s executive management team recruited Illuz and charged him with designing and implementing a next-generation security and compli-ance strategy for the company. The comprehensive program he is driving touches on nearly every aspect of ECI’s business, and his broad educational and profes-sional background is proving to be extremely valuable.
s
YUVAL ILLUz
“Security will be defined by not only who can access the information but with whom and in what types of interactions–and even when.”
– Eddie Borrero, Director of Information Security, Robert Half International
ra
Mi z
ar
ne
ga
r
symantec.com/ciodigest 27
For example, Symantec wrote more security signatures in 2009 than in the previous 17 years combined, and the company is on track to replicate this feat in 2010.
But the challenges don’t stop with outsiders with malicious intent; it also extends to insiders who largely have good intentions at heart. In particular, consumer-ization of IT also introduces new complexities, ones that are still being played out. Millennials—Generation Y—grew up with tech-nology and assume that the same technologies they leverage in their personal lives will be available in their work environments. Their predilection for different devices creates various endpoint security challenges that must be addressed with comprehensive endpoint security solutions that include
network access control. Their heavy reliance on social media is something that hasn’t been lost on those who exploit individual and organizational vulnerabilities. And despite attempts by some IT orga-nizations to block access to social media sites, it is most assuredly a phenomenon that is here to stay; one that has the potential to drive operational efficiencies, enhanced services to customers, and even revenue.
“It is virtually impossible to stop what goes out on the social networks,” Robert Half Inter-national’s Borrero notes. “You can block access from corporate devices but not personal devices. And there is a viable business case around the use of social media.” Both ECI’s Illuz and Presbyterian Health Services’ Sassaman concur.
PodcastCheck out the Executive Spotlight Podcast with Kim Sassaman at go.symantec.com/ sassaman-podcast.
Founded: 1907 as Southwestern Presbyterian Sanatorium
Headquarters: Albuquerque, New Mexico
Facilities: 7 hospitals, 30+ clinics
Insurance Plan: 700,000 members
Employees: 10,000+
Security Team: 12 staff
Website: www.phs.org
Healthcare Offerings: A not-for-profit system of hospitals, a for-profit health plan, and a growing medical group committed to improving the health of individuals, families, and communities; hospitals, physicians, caregivers, and insurance plans serve more than 700,000 New Mexicans (one in three).
Symantec Security and Compliance Solutions:
> Symantec Data Loss Prevention
> Symantec Control Compliance Suite
> Symantec Security Information Manager
“We don’t have any shortage of audits in healthcare, and more are coming.”
– Kim Sassaman, Director, Information Security,
Presbyterian Healthcare Services
s
Presbyterian Healthcare Services
cr
aig
Wo
oD
28 CIO Digest July 2010
And all three of them argue that protecting information on social media sites involves a combination of technology and processes.
“The latest release of Data Loss Prevention includes built-in func-tionality to do everything from monitoring to enforcing policies
on social media activities,” Illuz explains. “We plan to extend this to our environment shortly.” Bor-rero and Sassaman have similar plans. Nonetheless, all three of them concurrently argue that suc-cessful data loss prevention must be broader than just technology; it
requires comprehensive security policies and employee training.
There is already a movement toward appliance- versus software-based solutions. “In many instances I’d rather spend time getting the actual solution implemented and configured correctly instead of in-stalling the software and getting it to work on the respective hardware and operating system,” Borrero notes.
The next logical step is toward the cloud. Interactions or stor-age of proprietary information in the cloud is a key concern for Illuz, Borrero, and Sassaman. But all three are also looking at ways to move security and compliance functions to the cloud. “We investi-gated traditional security func-tions such as messaging security or Web security,” Illuz says. “We also have looked at more complex solutions such as data loss preven-tion or compliance reporting and management.”
CO
VE
R S
TOR
Y
Siding with “The Good Guys”
Kim Sassaman always knew what he wanted to do when he grew up. “From the first time my hands touched an Apple II in junior high school, I realized that IT was for me,” he relates.
As a student at Sam Houston State University in Texas in the early 1990s, Sassaman discovered the
niche of IT security. “At the time, the uni-versity didn’t have security on its systems; so anyone could just walk in, sit down, and start exploring,” he recalls. “I started meeting people there, and soon found they were doing things they weren’t supposed to be doing.”
“I had an epiphany one day,” Sassaman continues. “I thought, ‘If I can access sys-tems so freely, what would stop someone from committing malicious crimes?’ I come
from a long line of law enforcement in my family, so I started wearing a white hat. I asked myself, ‘Who is securing our virtual borders?’”
Launching a security practiceAfter college, Sassaman did stints in the energy, tech-nology, financial services, and telecommunications industries—in roles that encompassed both engineer-ing and management. Each of these roles included a security component.
After serving as a security consultant for several years for International Network Services, Sassaman launched an IT security consulting practice as manag-ing director of a small firm called Orange Parachute. “Our firm was primarily focused on doing ISO27001 certifications for large multinational organizations,” he explains. “We honed our practice on building a quality security management program.”
Finding a home in healthcareIn October 2008, the CIO of Presbyterian Healthcare Services, Donna Agnew, approached Sassaman to remediate a plethora of IT audit findings. Sassaman worked at the site for the next six months and pre-pared a multi-phase proposal for moving security to the next level.
Presbyterian Healthcare Services then offered Sassaman a permanent position to implement the recommendations he had made. “I truly felt that my personal mission was evolving toward information security in healthcare,” he says. “I looked at a field that was young and growing, and that was exciting. So I decided to wind down my consulting practice and go to Presbyterian Healthcare Services full time.
“There are good guys and bad guys in the online world,” Sassaman concludes, “and I want to side with the good guys.”
s
KIM SASSAMAN
Source: “Unlocking the Value of the Information Economy,” HBR Analytic Services, January 2010.
Attitudes Toward Information and IT
Our organization’s information security policies hinder our ability to grow our business
The interests of individual business units hamper our ability to fully exploit information at an enterprise level
The IT structure in our organization is flexible and responsive to changing business conditions
Our investments in IT are primarily to reduce costs and drive efficiency
Our company has a cross-functional governance structure for making decisions about investments in IT
Our CIO is involved in discussions about new products or strategic directions from the start
We struggle to make the best use of the vast amount of information we have
Investing in IT is critical to growing our business
We view our information as a key strategic asset 45% 40%
23% 48%
17% 50%
16% 35%
12% 32%
9% 39%
8% 29%
7% 31%
4% 15%
cr
aig
Wo
oD
symantec.com/ciodigest 29
Evolution is ongoing, and informa-tion security leaders like Borrero, Illuz, and Sassaman are already looking to the next wave of security and compliance initiatives. Those will need to go beyond information to the actual identities of those participating in the interactions where information is exchanged. “We’re already seeing this with the Data Insight technology,” ECI’s Illuz observes. “A more granular and accurate picture of our information architecture, when applied in conjunction with our backup and storage retention policies, has the potential to drive substantial reductions in storage.”
Robert Half International’s Borrero adds: “Security will be defined by not only who can access the information but with whom and in what types of interactions—and even when.”
Destination: “Somewhere over the rainbow”The security and compliance profession has evolved into a much more strategic and sophisticated role within both the IT function and even business. Just a few years ago it was infrastructure-centric; the right antivirus, network, and gateway security solutions equated to a job well done. This is no longer the case. Success-ful security leaders manage security and compliance at the layer of information—and are looking beyond to subsequent permutations in the threat landscape.
At the end of the day, the goal remains the same as the aspirations of Dorothy, played by Judy Garland in the 1939 film, who sang the now signature song “Over the Rainbow” after arguing with her aunt and uncle. The lyrics of the song convey her desire to escape the travails of her aunt’s and uncle’s farm in Kansas; to be transported to a place where the clouds part and the rainbow appears on the near horizon. n
1 “automation, Practice, and Policy in information Security for Better outcomes,” it Policy Management group, May 2010.2 “unlocking the Value of the information economy,” Harvard Business Review analytic Services, January 2010.3 “in the crossfire: critical infrastructure in the age of cyber War,” center for Strategic & international Studies, 2009.
Patrick E. Spencer (Ph.D.) is the editor in chief and publisher for CIO Digest and The Confident SMB. Mark L.S. Mullins is a managing editor for CIO Digest and The Confident SMB.
Implementing a Security Strategy
After being hired as Presbyterian Healthcare Services’ first director of information security, Kim Sassaman and his newly-formed staff of 12 began plotting their strategy for implementing the technical recommen-
dations he had brought in as a consultant. They first developed an Informa-tion Security Management System (ISMS) based on ISO27001. This process identified several priorities. “First and foremost, we needed visibility,” he says. “Imagine if you purchased a car that didn’t have any gauges or meters on the dashboard. You would never know trouble was brewing.” Other requirements included compliance monitoring and reporting, as well as the development of policies and standards.
After evaluating several vendors’ offerings, Sassaman and his team concluded that Symantec’s IT compliance and data loss prevention solutions were the best fit for the organization’s strategic priorities. In the summer of 2009, Presbyterian Healthcare Services purchased Symantec Data Loss Prevention, Symantec Control Compliance Suite, and Symantec Security Information Manager.
Understanding data in motion“Data Loss Prevention has given us a deep level of understanding of how data is being utilized,” Sassaman notes. “The vast majority of employees are doing the right thing and just don’t know how to do it securely. We began with the Monitor functionality to get a picture of how information is being utilized.”
The team is now phasing in the Prevent functionality to enforce security policies that have been developed with input from all business units and honed through testing. “We’re doing this deployment very carefully, as we need to make sure that critical medical information gets through when it needs to,” Sassaman says.
Monitoring and reporting on security“We don’t have any shortage of audits in healthcare, and more are coming,” Sas-saman notes. “So Control Compliance Suite has helped us in many ways beyond preparing reports. The Standards Assessment Module has helped us to build configuration standards for our endpoints and report on how many are in compli-ance. The Policy Module helps us to build and enforce policies. And we’re looking at leveraging the Response Assessment Module to start testing people for awareness of security best practices.”
Symantec Security Information Manager gives Sassaman’s team an integrated view of the organization’s security landscape. “We have a lot of our controls reporting into it, and I have an individual who’s constructing reports and doing analytics on the information,” Sassaman notes. “It’s helping us a lot, especially with our change management program, because we can now detect changes in the infrastructure. It also helps us with process conformance because we can identify lapses inside of a process.”
Looking to the futureSassaman’s team is currently testing Symantec Protection Suite Enterprise Edition as a possible replacement for a variety of security technologies now found at the organization’s endpoints. “There’s a business value justification to combining several technologies into one agent, and it will improve efficiency to have products that integrate well,” Sassaman explains.
Sassaman and the chief technology officer are also evaluating the Altiris IT Management Suite to manage clients, servers, and assets. “Such a technology would benefit the security group as well as the infrastructure group,” he com-ments. “The fact that our CTO was previously a CISO means that I have a true partner in the infrastructure space.”
s
PRESBYTERIAN HEALTHCARE SERVICES