News Stay informed about the latest enterprise technology news and product updates.

Firm takes steps to address email management security risks

Frank Chambers, director of security management at Constellation Energy explains how his firm manages email risk.

As an information security professional, corporate email and the risk of what lies within it, is one of the things the keeps me up at night. These days email commonly appears in legal requests, regulatory inquiries and corporate investigations. It's our de facto form of communication and like most other Fortune 500 companies, we have lots of it.

As the director of information security management at Constellation Energy, I oversee a team tasked with performing all email investigations. If you've ever held this position at a large company, you know it can easily turn a 40-hour work week into an 80-hour work week because of the sheer volume of messages, rising number of email related discovery requests, and painstaking task of manually analyzing email.

Constellation Energy handles some of the challenges of email by taking a proactive stance and standardizing our investigation process. Our approach helps me sleep at night, and this process has actually saved the company both time and money.

Email management security risks:
Messaging insecurity fuels data leakage fears: The proliferation of messaging technology means more opportunity for malware to take root and sensitive data to be lifted.

CISO focuses on enterprise risk: Craig Shumard overhauled CIGNA's risk operations by appointing business unit managers as conduits between lines of business and security.

Does email archiving mean keep everything? An expert at the Storage Decisions conference weighs in on whether it makes sense to keep data forever or if reducing data also reduces risk. Plus dirt on conniving lawyers and dodgy tape practices.

If you're trying to get a handle on email or simply want to improve the way your company manages email risk, here are some ideas on where to start:

  • Know when to hold 'em: Implement email storage or an archive and establish a retention policy for email that makes sense given your corporate culture, regulatory requirements and industry. Be sure to specify policies and controls for what can be stored on user desktops and laptops and for how long.
  • Strength in numbers: What good is a policy if nobody agrees with it or, worse, if nobody even knows about it? Make sure key departments such as Legal, IT, and HR have a clear understanding of the process, and more importantly, approve of your e-mail retention, retrieval and analysis policies.
  • Automation is a good thing: Find ways to be more efficient through technology. In addition to saving time, newer technologies can save money by routinely moving older email to low-cost storage and automating email analysis such as piecing together discussion threads and quickly identifying who knew what and when.
  • See the forest through the trees: Don't lose sight of the big picture. In addition to spending time and energy on automating daily tasks, put energy into more strategic matters like proactively identifying issues before they turn into problem areas. Some automation technologies will even do the work for you by automatically tracking group-to-group communications between identified groups.
  • Like the Boy Scouts say, "Be Prepared": The right time to begin thinking about installing an archive or establishing a process for email inquiries is now, not when you are about to be investigated -- by then it's too late. Talk to your peers and see what is and isn't working for them. Get your budget approved and do the necessary leg work while you still have time.
  • Create a repeatable process: If you're like me, you hate being caught off guard. I like knowing when and how I'm going to respond to an issue before it even happens. After all, ad hoc anything is the antithesis of keeping things secure; whereas, order and predictability are our friends when it comes to mitigating risk and improving the effectiveness of an overall security strategy.
  • Reality check: Periodically revisit the policies and processes you've established to make sure they are still working. Staff changes or newly acquired business units could put a wrinkle in the plan that should be taken into consideration, or you could be overlooking important problem areas or weak links that need to be fixed.
  • Above all, just because everyone takes email for granted, there's no excuse for taking shortcuts when this valuable resource could impact the effectiveness of an otherwise carefully thought out security strategy. Boiled down to its simplest form, email should be treated like any other type of corporate data that must be managed and dealt with accordingly. With the right policies and technologies in place, you can mitigate the risk and uncertainty of email and turn an otherwise costly and haphazard process into a manageable and critical component of your company's security strategy.

    Frank Chambers is director of information security management for Constellation Energy's corporate security department and risk division with 15-plus years of IT and security experience. In addition, he is responsible for the deployment of physical security access control and intrusion detection technologies and a 24x7 Security Operations Center monitoring and response operation. He has a BS in Information Technology, and holds the CISSP and CISM designations.

    Dig Deeper on Data privacy issues and compliance

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.