Rising above risk

Carter’s “dare you” approach is too aggressive for some. But it symbolizes the need CTOs feel to respond to the growing number and complexity of threats, which in turn have sparked a flood of point security solutions from vendors. “The problem with many of the security solutions today is that they are highly fragmented,” says Peter Lindstrom, director of security strategies at Hurwitz Group in Framingham, Mass. “There are hundreds, if not thousands, of point solutions [aimed] at problems, but people aren’t sure where the problems are.”

Since Sept. 11, security has become a highly visible, board-level issue. But board members do not want to hear from the CTO about the difficulties of securing the enterprise. They only want to know that systems and corporate and customer data are safe — and they expect the CTO to ensure that the company does not become victim to any costly or embarrassing security incidents.

For the CTO, finding one solution that would protect the company from all manners of intrusions, viruses, and other security incidences would be ideal. But few chief technologists are convinced that such a single perfect tool exists. With ultimate responsibility for a secure enterprise, and in the absence of a total single-vendor solution, the skills of the CTO are being put to the ultimate test.

Defining the problem

Vendors are cashing in on the growing security market and have devised a dizzying and costly selection from which CTOs can choose. A recent report from Framingham, Mass.-based research company IDC says that the 2001 worldwide market for information security services grew to $8billion, up $1.3 billion from $6.7 billion in 2000. The trend is expected to mushroom, with the security market nearly tripling to $23.6 billion by 2006.

Despite the growing market and media play on high-profile events and viruses, many CTOs work under budget constraints that force them to provide increased security with fewer funds, according to the IDC report.

Meeting security needs under these conditions requires careful planning, CTOs say. Conducting a broad evaluation is the first step toward developing a security architecture. “The goal is to try to figure out what you are trying to secure, and that isn’t necessarily easy,” Hurwitz’s Lindstrom says.

To cut through the fog, CTOs should prioritize their vulnerabilities, says Paul Strassman, a New Caanan, Conn.-based IT business consultant who is currently acting as a technology advisor to NASA. “Risks vary from company to company,” Strassman says. “There are differences between mosquito bites and snake bites, and you should have a different approach for each.”

Same industry, different security issues

At Alexandria, Va.-based The Motley Fool, Keeler has judged the levels of risk posed to the financial news and content site. “Our task is really to focus on the risks specific to us,” he says. “Are we in the same category as a bank? Probably not.”

As a result of this evaluation, Keeler has a view of security risks and needs specific to The Motley Fool. “If our site went down, it would be very embarrassing,” Keeler says. “But we’re not doing [financial] transactions. We’re not in the risk category where you need a CSO [chief security officer].”

With others’ funds ultimately under his watch, FOLIOfn’s Grochow is reluctant to name any vendors or divulge his security practices. “You have to think about protecting customer data,” Grochow says. “All online financial institutions have to worry about customer data flowing back and forth across the Internet.”

A security breach at FOLIOfn could result in downtime and missed trades and possible government sanctions — likely more damaging than a security breach at The Motley Fool. Thus, Grochow’s view and solutions differ from those of The Motley Fool’s Keeler.

The current challenge for Keeler is to filter out what he calls “noise” — the network probes launched to find weaknesses in the Web site, which offers investment news and information, including stock quotes, company reports, message boards, and its own quirky columnists. Keeler deploys Sunnyvale, Calif.-based ArcSight’s security management solution, which provides automated network monitoring, resolution, and reporting of threats and attacks. The Motley Fool’s CTO also uses Cupertino, Calif.-based Trend Micro’s OfficeScan anti-virus protection software.

On the other hand, FOLIOfn secures its data flow using S-HTTP (Secure HTTP) and uses an outside company to conduct intrusion analysis and system auditing. “They look to see if anyone can get into the system from the back door,” Grochow says. He also uses anti-virus protection software.

Multiple-vendor solutions, or one?

Faced with securing the enterprise at multiple points, CTOs have to assess whether using solutions and tools from several different vendors further complicates the picture. Some, such as Elogex’s Carter, haven’t found one single-vendor offering that meets their enterprises’ needs. Others are reluctant to deal with the problems of managing multiple tools from multiple interfaces.

At Elogex, Carter’s approach to security is layering a series of solutions to provide multiple points of protection and complex systems. As an ASP, Elogex enables customers in the food, grocery, and consumer-goods industries to coordinate transportation management logistics by providing automated inbound and outbound transportation information as well as monitoring logistics.

Because of the ASP model and customer access to systems, Carter compartmentalizes his network and crafted security solution. “Everything from the firewall in is served by an advanced intrusion detection system,” which includes Symantec’s Norton AntiVirus Corporate Edition and the company-run network monitoring program, Carter says.

With the costs and the often “status quo” feel to some vendor solutions, Carter turns to no-cost security tools, including the Nessus security scanner and the John the Ripper password cracker, which detects weak passwords. “We use tons of free tools,” Carter says. “It puts you in the mind of a hacker.”

Other CTOs do not want to go beyond brand-name security vendors. Ed Eskew says he usually looks to tried-and-true vendors for new products. “When you start with the better [vendor] houses, they are usually the ones that come up with the better products,” says Eskew, vice president of information technology at women’s clothing manufacturer Bernard Chaus in New York.

The company deploys a VPN that spans the globe, serving offices in Hong Kong, Korea, and Taiwan, as well as two sites in New York and one in New Jersey. To secure the network, Eskew relies on FireWall-1 from Ramat Gan, Israel-based Check Point Software Technologies to provide access control, content security, authentication, and centralized management.

Eskew can set his company’s security policy using the FireWall-1 GUI, a management server, and a firewall module. He also uses email and Internet filtering software from Scotts Valley, Calif.-based SurfControl.

For an organization with thousands of clients and multiple databases that include valued data such as social security numbers, the security responsibilities are far greater than those many CTOs face. Hurwitz’s Lindstrom says there is much merit to using one large system that can fulfill as many security needs as possible.

“Security is one of the top issues for us,” says Elayne Starkey, CTO of the state of Delaware, in Dover. “It’s one of the items we are giving a priority to.” Starkey is responsible for securing two sprawling networks that connect thousands of clients: an education network with approximately 40,000 users and a state agency and employee network of as many as 12,000 PC users. Because of the complexity and scope of the systems, the state primarily relies on one tool as an integrated approach to security and supplements only as needed, Starkey says.

The single solution from Sunnyvale, Calif.-based CacheFlow takes care of content security for Web traffic, authentication, rules-based filtering and forwarding policies, and logging and event notification. “CacheFlow has served us very well for security and bandwidth filtering,” Starkey says.

The vendor offering is also configured with filtering software to protect the state from inappropriate employee browsing and can block access to particular Web sites such as pornography sites, Starkey says. “It also gives us logging and monitoring capabilities and the ability to go back and review the logs and provide information to [state] agencies.”

Despite the tasks handled by this tool, Starkey has had to look elsewhere to round out the state’s security arsenal. Her team also uses anti-virus software from McAfee and, in an innovative initiative, is allowing state employees to take copies of the software program home so as to log on remotely to the network in a secure fashion, Starkey says. Going forward, she says the IT staff is weighing options on using an IDS (intrusion detection solution).

The state also plans a network build-out that will include a redundant core site, which will incorporate the identical setups on both state and education networks with redundant ISP connections that they hope will deploy additional CacheFlow accelerators. “The right technology tools are only part of the solution. … An effective IT security architecture is not possible without good policies and crystal-clear accountabilities,” Starkey says.

Staffing security

The complexity and multiple issues surrounding the day-to-day operations of securing an enterprise have led CTOs to look beyond tools to talent. Some are hiring or developing security assistants; others are bringing on full-fledged CSOs.

At Elogex, on top of the cloak-and-dagger approach, Carter has a CSO to maintain a comprehensive security architecture. “I’m always challenging him to push the enterprise,” Carter says. “If a large company is asking whether they need a CSO, I can’t recommend it strongly enough.”

FOLIOfn has one person assigned to security matters full-time, Grochow says. “He doesn’t have the title of CTO, but he worries about these things on a full-time basis,” Grochow says.

Bernard Chaus’ Eskew sees the matter differently, preferring to spread the security work to three or four people, who spend about 25 hours per week on security tasks and issues. He and his staff are on the lookout for new products. “If you close your mind to [innovations], you might miss the one solution that fits,” he says. “I try to see what’s new out there. And once a month, I try to sit down with my network people to share what I’ve discovered and what they have discovered.”

In addition, CTOs should also consider outsourcing security, Hurwitz’s Lindstrom says. “There are a lot of i’s to dot and t’s to cross in security for people at the CTO level who haven’t necessarily been doing security all their lives,” he says.

Although conditions vary from company to company, CTOs are taking a strategic approach to ensure their assets are safe. Even the innovative approach of Elogex’s Carter defines an important goal. The sleuthing, he says, “forces us to constantly make sure we are as protected as possible.”