Article

• Send to a colleague

Keeping the Chaos at Bay

As you read this, more than 10,000 viruses, worms and Trojan horses are trying to take down your operations. A habitual hacker may be trying to crack open your inventory records, erase the past year's transactions and dismantle the entire supply chain. Another sophisticated intruder using spyware may be peering into your customer database, stealing precious data and handing it over to your competitors. Any minute, the prized privacy of your customers could be compromised. And then there's the small but growing number of disgruntled employees who may be trying to snoop into payroll records or create an embarrassing breach in the flow of data.

The problems that keep security professionals awake at night are expanding every day. Thanks to the explosive growth of the Internet and the slew of IP-based automation it enables, the network now is intrinsically integrated into the central nervous system of the enterprise. Nearly all business functions, from R&D to distribution, are now integrated on the network, but the security solutions themselves tend to be relegated to the edge.

Additionally, government regulations mandate strict new rules for safeguarding information, and a growing number of companies must maintain auditable financial archives.

Add to that the growing public concern over privacy: As many executives can now attest, lax security measures of customer records can lead to legal violations and hefty fines.

As if that weren't enough, nearly half of today's workforce is now able to log on remotely, leaving literally millions of access ports exposed like never before.

In short, the risks from security vulnerabilities are greater than ever. Should the industry start demanding more from the network itself?

Security: A Top Priority

No surprise, then, that security has found its way to the top of the ever-mounting priority list for CIOs. According to a recent Computer Security Institute FBI survey, 92 percent of companies surveyed experienced a cyber attack in 2003.

"What was once primarily a technology job is today becoming one consumed by security," according to Matthew Kovar, analyst with the Yankee Group. "Just a few years ago, the CIO's biggest concerns were email access and keeping the network up. Today, CIOs are as consumed with legal and regulatory issues as they are with keeping the data flowing."

It stands to reason, then, that security management is consuming larger-than-ever parts of the day for CIO teams this year. And thanks to the growing volume and severity of cyber threats -- the Computer Security Institute says that a third of all security-related incidents last year resulted from thefts of online data -- the amount of time and money invested in defense tactics is expected to rise accordingly. A recent NPD Group study said August 2003 was the largest sales month ever for consumer security software, increasing threefold during the weeks following outbreaks of the SoBig and MSblaster viruses. For virus detection, sales for August 2003 totaled nearly $27 million on 581,000 units, up from $13.7 million the year before. For security, sales for August 2003 were $19 million, up from $6 million the year before.

Ed Amoroso, AT&T Chief Information Security Officer, stands watch over one of the largest networks.

"Today, a company's ability to succeed depends on the CIO's ability to keep the network safe," he said. "And more and more CIOs are realizing that true safety starts from within the network, not with outside fixes."

With a networking system that spans millions of miles around the world, transmitting more than 3.6 petabytes of data each day, Amoroso works to ensure the integrity of AT&T's networks -- both those that keep AT&T running and those for its business and government customers. His surveillance at the deepest levels of network operations has made the AT&T networks what many consider some of the safest in the world, and has given Amoroso the recognition as a "top cyber cop" year after year. And thanks to recent AT&T Labs innovations, Amoroso now has a Hubble-like view into cyberspace, allowing him to peer far past the orbit of existing firewalls.

"It's no longer about keeping a step ahead of the attackers," Amoroso said. "It's about keeping five, six, seven steps ahead, anticipating not what they may do next, but what they will do after that."

In fact, he added, once an attack has reached a company's firewall, it may be too late.

"You've got to get them where they live," he said. "You've got to take the fight to the enemy."

The Everyday Network

Despite attention paid to past security incidents and the need to protect against future ones, the biggest priority is still primarily on the business of today. And while security issues remain the fastest growing concern, ensuring smooth sailing for everyday operations remains top of mind for CIOs.

This is especially true now, as networks undergo their biggest transformation since the birth of broadband. Convergence of wireless, voice, data and video is coming full steam. Integration of automated business functions and real-time collaboration -- while great for productivity -- mean new challenges for everyday maintenance. This doesn't include, of course, the growing number of "outsiders" in the supply chain who need access to the network -- and all the day-to-day details involved in clearance and validation.

Networks are fast becoming the corporate central nervous system, playing a role few analysts could have predicted a decade ago.

During these last few years of cost containment and rising economic challenges, the well-run network was able to quietly earn its stripes at corporations around the world. CIOs have used networked applications to improve productivity, drive down costs and generally manage the daily flow of data that keeps a business buzzing. CIOs have shot back at the rocky business climate by aggressively developing new ways that networking can help a company meet its business goals.

In short, networking has come to be seen as the "mighty facilitator," the force behind so many of the achievements companies have experienced over the last few years. Resourceful CIOs have put their infrastructure to the test every day, from supply chain management and CRM to employee communications and marketing. The question no longer is, "What can your network do?" The question is, "What more can your network do?"

No wonder that the effort has increased dramatically to keep this central nervous system in optimal health, with maintenance and prevention vital. That the network has become so all-encompassing and central to the well-being of every company today is the good news. But it's also the bad news. The daily operations of the network -- once mainly a technology and cost maintenance issue -- have clearly become an issue that has a major impact on the competitiveness and success of the entire organization.

As if the growing threats of cyber attacks weren't enough, two broader issues will begin to rise on the list of IT management concerns. According to Jon Oltsik, analyst for the Enterprise Strategy Group, compliance and privacy will become top challenges for most CIOs and IT managers this year, if they aren't already.

"We expect IT managers will be spending a lot more time in the company of legal counsel and compliance officers," Oltsik said. "The risks of not complying are just far too great now."

Citing the particularly stringent regulations for hospitals and other health care institutions, Oltsik explained that compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) has become a gruesome task, especially with an April 2005 deadline fast approaching. Securing the vast national databases of patient information, from drug dosages to payment records, is a challenge for every nursing home, home health care provider and physician network. It's even more important for large medical institutions.

Financial institutions also are increasingly under government pressure to safeguard customer information. For example, in the U.S., the new Safeguards Rule of the Gramm-Leach-Bliley Act is creating growing challenges for IT managers as well as for their legal and compliance officers.

What this means for banks and brokerages is that every transaction must be accounted for in "who, what, where" kind of detail and analyzed at a moment's notice.

"Not only will you have to document who had access to what data and when, but who did what to it and why," Oltsik said.

As more and more customers bank and invest online, the need for privacy protection will continue to increase, said Yankee Group's Matthew Kovar.

"It's been the chief obstacle to growing the online financial consumer market," said Kovar, "and if we can provide a greater sense of security for customers' privacy and the safety of their accounts, the consumer base should grow larger."

While privacy concerns will continue to be top issues for customers of financial institutions and government agencies, as well as many other types of businesses, a major hitch in compliance is that privacy regulations are not universal. Companies in Europe, for instance, are used to a much greater sense of privacy protection than companies in the United States.

For online businesses, where little distinction is made handling customers in one country or the next, the perils of privacy infringement can become a major issue in relationship management. And since privacy regulations in the European Union are far more stringent than in the United States, what might be deemed just a clever marketing ploy in New York may mean a major violation in Paris.

"In the United States, the onus is on the customer to 'opt out,'" said Kovar. "But in the EU, the onus is on the company. In the EU, the company has to formally obtain consent from the customer to use personal data, and then show proof that the customer has consented."

Regulation, compliance and privacy issues will only mount in the years ahead, even as the technology side of security becomes increasingly complex.

"The biggest challenge a few years ago was just waiting to see what the next 'Sasser worm' virus was going to be or trying to track down the sources of inside fraud or training our remote workers how to protect their passwords and access codes," said Kovar.

But the role of the CIO today is far more extensive in its scope and implications. From an original focus on basic IT functionality to managing cost containment to the current growing pressure to deliver tangible business productivity and growth results, the choices CIOs make on a whole host of issues are more crucial today than they were even a few short years ago.

According to Kovar, companies increasingly are looking to partner with specialist firms -- for everything from database protection to compliance with federal regulations to networking security management -- to help them keep their operations running and secure.

With the stakes so high and market demand surging, it's no surprise that more than four million so-called "security vendors" emerge from a single Google search.

But Oltsik advises companies seeking outside support for their security management to do the highest level "security check" on their own. Potential partners should be checked not only for their technology expertise, but for their understanding of the unique compliance issues affecting every industry today.

"When CIOs can rely on an outside expert, a real partner they can trust to safeguard their network, not only does the CIO team benefit, but so does the company, its employees, suppliers and customers," said Kovar.

Not surprisingly, both Kovar and Oltsik expect the rate of cyber attacks to only grow the rest of the decade, leading most CIOs to continue keeping security top of mind.

New government mandates will mean far more time dealing with compliance. New privacy concerns will mean more time creating policy. And new competitive pressures will mean great opportunities for CIOs to facilitate improved productivity, processes and performance.

But what may be most critical for the CIO today: an intelligent, flexible and responsive network that actively performs as the CIO's partner in the quest for greater security.