Interview: Setting policy the IBM way

Last week IBM announced its new Data Governance Council, formalizing a group of enterprises and IT organizations that have been meeting quarterly for more than a year to discuss ways of better protecting data against online thieves. Council members include major financial institutions, like Northwestern Mutual Life Insurance, American Express and Merrill Lynch & Co. It also includes numerous international banks, a Long Island, N.Y., city government, two universities, the United Nations Development Program and the World Bank. Stuart McIrvine, director of corporate client security strategy for Big Blue, talked to SearchSecurity.com about how everyone can benefit from what enterprises in this program are doing.

What's the motive behind the new council and IBM's role in it?
Information today is so much a part of the lifeblood of some many types of businesses, and as we look at more regulation being imposed -- whether it's Sarbanes Oxley or some of the privacy issues being brought to a head with the wave of identity thefts -- better governance and management of information is becoming more and more critical for companies. The big motivator here is to try and get a much better understanding of different companies and different industries -- what their focus is from this data governance perspective, so that we can help better meet their needs and can better understand how they manage information and what problems they run into. Then we can customize our offerings much better. There are a lot of similar sounding organizations out there. What makes this one different?
The types of companies and seniority of people from each company makes it different, as well as the level of attention they're giving it. When we call these councils together quarterly, there is very high turnout. All the individuals are motivated to get these problems solved. Companies used to focus on financial risks, but risks go beyond that now. There are CEOs and CFOs that want to stay out of jail. It can come back down to how information is managed within a company, so these companies are more motivated to get more automated solutions to this problem, such as setting the right policy at the business level for how this information is managed. What's been done since the meetings began?
We've formulated a good understanding of the key problems that companies are focused on, mainly understanding policy and how to model policy. We've pulled together the key tools we have in the company and architected a blueprint on how these tools fit together and can help companies automate this. A couple of companies within the council are running pilots against this blueprint. What do you anticipate happening beyond this, not only for council members but other companies with a stake in data regulations?
In general, helping them find a way to much better govern their information and eliminating the manual processes that really are required for a checks and balances of what can be done to the information. The automation doesn't just eliminate manual work; it also becomes more accurate., therefore lowering the overall risks some of them deal with on a day-to-day basis. The timing for this is good, given the staggering number of companies whose lax security policies have been exposed through publicized data thefts in the last six months. Why hasn't something been done before now?
It's the simple case of businesses having way more priorities to deal with than the resources to handle them. Unfortunately, all these breaches and thefts have really manifested themselves as events driving attention to this space. It's not that it hasn't been important. It's just that other parts of the business have taken priority.
Security Seven Awards

TechTarget's Information Security magazine, SearchSecurity.com and Information Security Decisions have created the Security Seven Awards to recognize the achievements of leading information security practitioners in seven vertical industries. Winners will be chosen from the financial services, telecommunications, manufacturing, energy, government, education and health care industries. To nominate an individual for the Security Seven...

Awards, please complete the form and return it to securityseven@infosecuritymag.com. Nomination forms must be received by Aug. 1, 2005.

Is it possible to stay ahead of the bad guys?
It really is possible to deal with this problem by companies serving much more of a focus on their information. Our whole information-on-demand strategy really pushes companies to focus on all aspects of information management: the acquisition of it; the management of it; the securing of it; and the analysis of it. One thing we tell companies is not to do these things in isolation. It needs to be done in a strategic perspective, a holistic perspective. When information is managed strategically, when security is part of those processes and not an afterthought -- it makes life extremely difficult for these hackers and thieves. The technology is there, they just need to be used in the right way. What do you mean by that?
For example, a company will design a business process and later find an application that needs access control so not everybody can access the application. The problem is then you are patching the security in later. The tools are there, but when you're designing a business process, security shouldn't be an afterthought but integrated into the overall strategy. Instead of managing individual applications, you manage identities overall from one centralized database or set of databases. I manage who these people access the processes and not the individual applications or data stores. Same tools -- it's just a different approach to how they are utilized and how the systems are designed to make them much more secure and much more manageable. If they're not much more manageable, then it becomes manual again and much more vulnerable. That seems to be the shift in industry mindset promoted by ID management vendors -- to make the networks more user-centric than application-centric?
It looks at who's involved in a process and what roles these people have. We have a lot of companies that say they're having difficulty rolling out the identity management capabilities and when we look, they understand the technology very well, they just haven't done the upfront work and defined the roles they want to exist in the company. And that is a very critical step prior to deploying an identity management solution. You bring in business consultants that help define what roles need to exist in that business and then the technology can enforce what these roles are assigned to do. Where do you expect the council to be a year from now?
We will have hopefully some pilots running in about half of the council members, then fine tuned before we deliver our formal offerings in this space. I'd also like to start to look beyond the basic blueprint at how we can organizationally create better infrastructures, particularly much better integration of the business and the IT communities, because that it critical.

Dig deeper on Active Directory and LDAP Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close