july 2010 cover story

18 CIO Digest July 2010

COVER STORY

By Patrick E. Spencer

The same can be said of the security and compliance landscape today. The threats of several years ago—whether phishing, malware and viruses, data loss, or compliancy—have trajectories that extend to today’s security landscape. But just as Dorothy exclaims to her dog Toto that they are “not in Kansas anymore” upon arriving in the Land of Oz, IT leaders are quick to point out that the security landscape today is much more imposing and threatening than a few years ago. Threats are growing at alarming rates, and the permutations are creating much more virulent and furtive modes of attack. The security and compliance solutions of a few years ago

are becoming quickly outdated—and, more

This article will investigate the changes that have taken place in the areas of secu-rity and compliance and will look at several levers that are driving this change. The lat-

compliancy challenges; (2) the alignment of security strategies with business require-ments; (3) the growing focus on informa-tion and not just infrastructure; and (4) next-generation threat management chal-lenges such as social media and cloud com-puting. The article also includes insights and recommendations from three global information security leaders: Eddie Borrero

When Dorothy and her dog Toto are depos-ited in the Land of Oz in L. Frank Baum’s widely acclaimed children’s novel, The Wonderful Wizard of Oz, and the even

The Wizard of Oz, Dorothy soon realizes that she is no longer in Kansas. The landscape, including characters and threats, has dramatically changed. Many of the characters in the Land of Oz resem-ble the characters found back on the Kansas farm of Dorothy’s aunt and uncle. However, they are much more imposing and, in the case of the Wicked Witch of the West, much more threatening.

“Toto, We’re Not in Kansas Anymore”

The Changing

Security Landscape

symantec.com/ciodigest 19

from Robert Half International, Yuval Illuz from ECI Telecom and Kim Sassaman from Presbyterian Healthcare Services.

“We’re off to achieve compliance”

-cial crisis and the recent healthcare initiatives in the United States have

-tions and tighter cost constraints. A recent study by the IT Policy Compli-ance Group shows that organizations with the least amount of downtime and data loss are those that adhere to IT policy and management best practices.1 That is the case with the three organizations interviewed for this article; each is putting more focus on security and compliance.

For example, despite additional regulatory requirements and tighter

budgets, the technology roadmap for ECI’s Illuz hasn’t changed. “The

slower path to implementation for certain initiatives,” he reports. And even though ECI is privately held, compliance with industry standards and regulations remains important. “While SOX (Sarbanes-Oxley) com-pliance is not a requisite for us, we made a decision when the company went private in 2007 to maintain SOX compliance,” he explains. He and his team also adhere to other standards such as the Information Technology Infrastructure Library (ITIL) and ISO27001.

As part of their larger compliancy program, Illuz and his team are using Symantec Security Information Man-ager to provide a single panel view across all of the company’s security tools and Symantec Control Compli-

ance Suite to manage and enforce compliance against a number of external and internal requirements. “Security Information Manager is the ‘conductor of the orchestra’ for us,” Illuz says. “It helps us manage all of

tools—from one view. We’re just getting started with Control Compliance Suite, but we anticipate that it will enhance our security posture while decreasing the time we spend running reports.”

The changes in U.S. healthcare over the past year created a num-ber of new compliance challenges for Presbyterian Healthcare Ser-vices’ Sassaman. “Until recently, outside of HIPAA (Health Insur-ance Portability and Accountability

PodcastCheck out the Executive Spotlight Podcast with HBR’s Angelia Herrin at go.symantec.com/ herrin-podcast.

Act), healthcare hasn’t had to deal with the breadth of regulatory requirements in other industries such as IT in financial services,” he says. “However, this changed with the Payment Card Industry (PCI)

Data Security Standard and the privacy and security requirements that are part of the

HITECH (Health Information Tech-nology for Economic and Clinical Health) Act. Healthcare organiza-tions are now under the compli-ance microscope.”

Like ECI’s Illuz, Sassaman and his team have deployed Symantec Security Information Manager for centralized security monitoring and management and Symantec Control Compliance Suite for IT policy man-agement and compliance. Similarly, their security management system is also based on ISO27001.

As Robert Half International is a publicly traded company, Borrero and his team must comply with a number of different regulations. They’ve addressed three basic compliance initiatives over the past several years: SOX, PCI, and HIPAA. “PCI wasn’t at the top of our radar, as we’re a tier-four merchant,” he

says. “But we collaborated with our business counterparts to quickly address it, identifying where credit card information was being used, how we were processing cards, and where the data was being stored. We then developed a program to achieve compliance.” And just as Illuz and Sassaman use ISO27001 as the baseline for measuring the success of their security programs, Borrero and his team do as well.

“There’s no place like business-IT alignment”Alignment of IT and business remains a priority for business executives and IT leaders. Indeed,

CO

VE

R S

TOR

Y


For the entire “Unlocking the Value of the Information

Economy” report from Harvard Business Review

Analytic Services, visitgo.symantec.com/hbr.

Upon his arrival, CIO Sean Perry was given the charge

to run IT as a business. He leveraged business process

optimization to restructure the IT team to align with the

company’s different businesses. Underneath this larger umbrel-

la, Eddie Borrero’s assignment was to enhance the company’s

long-term, strategic security and compliance plan. To identify

the highest priorities, he engaged Protiviti Inc., a Robert Half

International global business consulting and internal audit firm,

to perform an IT risk assessment using ISO27001 as the basis.

Data loss prevention was identified as one priority.

Protecting proprietary dataWith a largely silo-based security and compliance infrastructure,

Borrero established technology standardization and vendor

consolidation as pivotal selection criteria. And as Robert Half In-

ternational was already a Symantec customer, relying on various

storage management—including email archiving and e-discov-

ery—and endpoint security solutions, Borrero didn’t need to

look far for a data loss prevention solution. Borrero and his team

conducted a proof of concept for Symantec Data Loss Prevention,

and both Borrero and his team, as well as Senior Vice President of

Operational Support Ken Gitlin, one of the executive sponsors for

the project, were convinced that it was the right choice.

Over a period of six months, Borrero and his team rolled

out Data Loss Prevention for endpoints and the network,

and they are in the process of extending it to cover storage

as well. They worked with the different business owners to

define policies around discovery, monitoring, management,

and enforcement. The solution improved the company’s IT

risk posture. “We have a comprehensive vulnerability index

that reports on nearly everything, mapping applications to

specific business processes,” Borrero says.

The data loss prevention solution is also generating hard

business value results. “Because we are now able to enforce

certain policies, the time we spend on e-discovery has been

reduced by more than 80 percent,” Borrero explains.

Just getting startedBorrero and his team are in the process of upgrading from

Symantec AntiVirus to Symantec Endpoint Protection for

endpoint security to gain broader functionality and enhanced

system performance through its smaller footprint. They also

are preparing to roll out Symantec Web Gateway and currently

use Symantec Enterprise Vault Discovery Accelerator for email

e-discovery. The latter streamlined the discovery process,

which saves Robert Half International hundreds of hours in

staff time annually.

At the end of the day, Borrero and his team ask them-

selves three questions when they work on security and

compliance initiatives: (1) how are they mitigating risk and

improving the IT risk posture of the company; (2) how are

they enabling the business; and (3) how are they saving the

company money. “If we get these right, then we are on the

right track,” he concludes.

Running Security and Compliance as a Business

s

ROBERT HALF INTERNATIONAL


business process optimization and alignment of business requirements and technology priorities were given top ranking by both CEOs and IT leaders in the recent report, “Un-locking the Value of the Information Economy,” published by the Harvard Business Review (HBR).2 One would infer that that there is close func-tional alignment.

However, this isn’t the case ac-cording to the findings of the HBR report. Sixty percent of IT leaders indicated that business require-ments and technology priorities need closer alignment, whereas less than 40 percent of CEOs disagreed. The report also reveals that IT leaders are involved only 51 percent of the time in strate-gic decision making. And this is translating into budget allocation:

23 percent of CEOs believe invest-ing in IT is critical to growing their businesses.

Proof of business and IT align-ment should be found in areas such as business process collaboration. But this isn’t the case. Forty-four percent of respondents in the HBR report indicate they do not have cross-functional IT governance models, and moreover IT leaders are involved in strategic decision-making only 51 percent of the time. “CEOs and IT leaders agree that business processes need improve-ment,” says Angelia Herrin, director of Research and Special Projects at HBR who oversaw the report’s compilation. “But they have differ-ent ideas in terms of what it means once you ‘get underneath the hood’ to fix the problem.”

Founded: 1948

Headquarters: Menlo Park, California

Locations: 400 locations worldwide

Employees: 9,900

Website: www.rhi.comSecurity Team: Staff is broken into three teams: (1) risk and compliance; (2) engi-neering focused on traditional security architecture and infrastructure; and (3) operations tasked with security monitor-ing, service desk, e-discovery, compliance, and other associated functions.

Business Overview: World’s leading specialized staffing service and the first to provide placement services for account-ing, finance, and IT professionals. Parent company of Protiviti Inc., a global business consulting and internal audit firm.

Symantec Security and Compliance Solutions:> Symantec Endpoint Protection

> Symantec Data Loss Prevention

> Symantec Web Gateway

> Symantec Enterprise Vault

> Symantec Consulting Services

“We have a comprehensive vulnerability index that reports on nearly every-thing, mapping applications to specific business processes.”

– Eddie Borrero, Director of Information Security,

Robert Half International

PodcastCheck out the Executive Spotlight Podcast with Eddie Borrero at go.symantec.com/borrero-podcast.

s

Robert Half International

Mic

ha

el

Br

un

et

to


CO

VE

R S

TOR

Y

Each of the security heads inter-viewed for this article has been able to achieve business and IT alignment by engaging business owners in stra-tegic decision making. When Robert Half International’s Borrero was named to oversee information secu-rity, CIO Sean Perry charged him to develop a next-generation security and risk management program.

Borrero didn’t look very far before finding an organization to get the process started; he engaged Protiviti Inc., Robert Half Inter-national’s global consulting and internal audit firm, to conduct an ISO27001 risk assessment and provide corresponding recom-mendations. “The audit provided us with a framework to engage the business and to get our C-level executives involved in security and compliance discussions,” Borrero says. Due to the results of the ef-fort, an Information Privacy and Protection Steering Committee—

consisting of representatives from IT and various business executives—is now charged with driving the larger security and compliance strategy for the company. “We manage not only our security and compliance initiatives but all of our IT projects from a raw portfolio perspective,” Borrero notes. “A business owner is involved in every IT project, from initial ap-proval to go live. IT—and specifi-

cally security and compliance—is

really a part of our business.”When Illuz was appointed to

lead information security and

compliance at ECI, there was little interaction with business owners. “We had little cross-functional alignment, and secu-rity and compliance was done in silos,” he remembers. “Some-times security programs weren’t even driven at the global level but at individual offices.” This was one of the first initiatives he drove: global consolidation of security and compliance.

The next step was standard-ization. “As we move from infra-structure-based security solutions to information-based security solu-tions, a convergence of technologies is taking place,” Illuz says. How individual solutions behave within an integrated stack and what the long-term roadmap looks like is the central consideration for Illuz: “The ability to add layers of security as needed—whether it is messaging security, data loss prevention, or compliance—is what has guided our acquisition strategy.”

Sassaman was initially en-gaged at Presbyterian Healthcare Services as a consultant and was tasked to look at security and

7 Tips on Building a Comprehesive Security ProgramThe following are based on recommendations gleaned from the interviews with Borrero, Illuz, and Sassaman.

Seek providers focused on business requirements and technology chal-1. lenges, not individual product features.Look for an integrated set of solutions that include a long-term roadmap.2. Standardize security and compliance infrastructure as much as possible 3. to gain operational efficiencies and value-add.Select security and compliance solutions focused on information—and 4. eventually identity and interactions.Build cross-functional linkages and governance models to ensure buy-in 5. and collaboration from relevant business owners.Establish soft (e.g., improved IT risk posture, etc.) and hard (e.g., reduced 6. cost, improved staff productivity, etc.) business value metrics that are communicated pre- and post-implementation.Technology is not an end-all solution for meeting security and compli-7. ance requirements; an effective strategy also includes processes and people.

s

Left to right: Andre Lewis, Manager, Information Security; Eddie Borrero, Director, Information Security; and Kuo Chan Huang, Manager, Security Infrastructure, Robert Half International

Mic

ha

el

Br

un

et

to


compliance audits and to make corresponding technology and process recommendations. Like ECI, Presbyterian Healthcare Services didn’t have an integrated security program; it had a number of networked silos with little or no business alignment.

Working in concert with the CIO, Donna Agnew, Sassaman restructured his team for better alignment with the business and formed I-SPOT, an information security oversight team that is chaired by Agnew and the chief compliance officer and is com-prised of representatives from across the business. “We have great visibility as a result of I-SPOT and our realignment,” Sassaman notes. “Indeed, because of its success, we now have representation on the Compliance and Audit Committee on which several members of our board of directors sit.”

The “information brick road”Despite the rapidly changing threat landscape, security and compliance technologies, and strategies have not remained stationary; they are evolving to proactively address the new and ever-changing surroundings. And while security at the infrastructure layer remains important, the focus has evolved to the information layer. Locking down the infra-structure is no longer enough—or even an option. Information is everywhere: laptops and desktops, mobile devices, portable memory storage, data center servers, and storage systems. And it is being accessed from any number of loca-tions: from workplaces, to coffee shops and hotels, to ski resorts and beaches, to airplanes. “We’ve seen significant proliferation in end-points and the ways information is being accessed in just the past year

or two, and this trend is only going to increase,” ECI’s Illuz notes.

CEOs and IT leaders both agree that information is an essential business ingredient. For example, the HBR report found that 54 per-cent of CEOs strongly agree that information is a key strategic as-set. “Regardless of what business you’re in, information is your most vital asset,” says Herrin. “You can-not run your business without it.”

One thus should find a com-parable ratio placing a premium on protecting that information; however, only 21 percent strongly agree that investing in IT is critical to growth. Yet at the same time, less than half of CEOs feel their companies have adequate security controls in place. This is corrobo-rated by recent findings by the Center for Strategic & Interna-tional Studies: 66 percent of firms it surveyed reduced their security

After completing four years of service in the United

States Navy, working in the reactor room of an air-

craft carrier, Eddie Borrero took a job in construc-

tion. And even though he quickly moved into a supervisory

role, he knew that construction was not a long-term career

objective. He applied and was accepted to begin work on

an undergraduate degree at a college in the San Francisco

Bay Area.

One of the first things he did was purchase a computer

to help with his school work. “I fell in love with the com-

puter and had torn it apart within the first week of school

to figure out how it worked,” Borrero recalls. “I wanted

to know everything about it.” However, as the school had

limited offerings around computer science, Borrero soon

transferred to Saint Mary’s College of California, where he

completed a degree in business administration. He cur-

rently is working on a master’s in business administration

at John F. Kennedy University.

Some Christmas cheerWhile Borrero was still working on his degree at Saint

Mary’s College, attended the holiday party for his wife’s

company and met a vice president of a consulting organi-

zation. The vice president was impressed with Borrero’s

passion and invited him to interview for a position. “They

hired me as a consultant,” he says. “It

was a great opportunity to pair what I

was learning in class with real-world

challenges.”

Borrero eventually left the consult-

ing company and ended up as an IT

infrastructure manager in 1998. How-

ever, as he had gained a background

and interest in security throughout his

career, he accepted a position at Intuit

as a lead security engineer. He joined

Robert Half International in 2005 and was eventually

charged by CIO Sean Perry to oversee Global Information

Security and Compliance.

Is there an award winner in the room?It took Borrero several career paths before he found his

true passion. However, once he found it, he hasn’t let up.

Indeed, Robert Half International recognized him as one of

the five Chairman’s Circle winners through the company’s

annual Circle of Excellence Awards. “I am normally as-

signed the task of compiling the results,” Borrero quips.

“When Sean told me that it had been reassigned, I knew

something was up. It was truly a real honor and a big

surprise.”

For the Passion of Security

s

EDDIE BORRERO

Mic

ha

el

Br

un

et

to


CO

VE

R S

TOR

Y

Upon his arrival at ECI in 2009, Yuval Illuz discov-

ered a highly distributed security and compliance

infrastructure. Management of these disparate, point

product solutions was highly inefficient. The different pieces

didn’t integrate, and the ECI team often had instances where

the products were in collusion with each other. “Support was

an often complicated, complex process,” Illuz says. “It was

difficult to ascertain the root cause of a problem and the

support teams from each of the different security vendors

would point the finger of blame at each other.” The situation

was further aggravated by the fact that a standard security

and compliance infrastructure did not exist across all of the

company’s offices. “One of my primary goals was to build a

cross-functional security team and equipped it with the tools

needed to understand what was happening across the entire

organization,” Illuz summarizes.

Starting point: data loss preventionAfter completing an assessment of the security and

compliance infrastructure, Illuz and his team made the

decision to reach a standard global infrastructure and

to consolidate the different toolsets down from another

technology provider. “It wasn’t an easy decision to move

away from some of these technology solutions,” Illuz

recalls, “but it was the right choice.”

After looking at solutions, including product road-

maps, Illuz and his team settled on Symantec. “I had

confidence that Symantec would deliver on our business

requirements,” Illuz says. “They had the most compre-

hensive product portfolio and a strategic, long-term

roadmap that aligned with our business.”

Illuz and his team embarked on working with Symantec

to migrate their existing security and compliance infra-

structure pieces to Symantec technology solutions. With

heavy investments in research and development, proprie-

tary information is a critical asset for ECI. As a result, rather

than starting with the security infrastructure, Illuz decided

to begin by addressing the biggest security and compliance

gap—data loss prevention. He and his team, with help from

Symantec Consulting Services, rolled out Symantec Data

Loss Prevention, initially for just storage and the network

but subsequently to endpoints. For the initial deployment,

they turned on the Discover and Monitor modules and are

in the process of adding the Manage and Prevent modules

for certain users and data types based on defined policies.

“Thanks to Symantec Data Loss Prevention, we are now

proactive in protecting our proprietary information,” Illuz

says. “Our data is much safer now.”

Benefits go beyond reduced IT risk. For example, ECI’s IT

staff previously spent an average of 210 hours each month

analyzing and evaluating more than 300 alerts for potential

data loss. This is no longer necessary with Data Loss Preven-

tion, equating to a three-year labor productivity savings of

US$224,000.

Comprehensive endpoint and messaging securityConcurrent with the data loss prevention rollout, Illuz and

his team opted to begin implementing different components

from Symantec Protection Suite Enterprise Edition. For end-

point security, ECI had relied on a disparate set of endpoint

security solutions from another technology provider. “We

needed a more comprehensive and integrated solution and

Symantec Protection Suite met our requirements,” Illuz says.

With the help of Symantec Consulting Services, the ECI team

migrated all of its clients and data center servers to Symantec

Endpoint Protection and added Symantec Network Access

Control for enhanced protection. They also extended Syman-

tec Endpoint Encryption to all clients.

Seeking to reduce incoming spam and false positives, Illuz

and his team migrated their messaging security infrastructure

from a prior solution to three Symantec Brightmail Gate-

way appliances and one Symantec Brightmail Gateway

virtual machine. “We sought productivity gains,” Illuz notes.

“IT staff was spending too much time remediating infected cli-

ents and servers, and end users were incurring downtime. The

migration was one of the easiest IT projects I’ve ever managed;

there was no disruption of email. In addition, the integration

with Data Loss Prevention was straightforward.”For backup and recovery of clients, the ECI team is in

the process of replacing a previous solution with Syman-tec Backup Exec System Recovery. The current backup procedure is a manual process that takes an average of six hours. Once Symantec Backup Exec System Recovery, which is part of Symantec Protection Suite, is in place, recovery time will be slashed to about 10 minutes. Illuz and his team also recently added Symantec IM Manager for scanning instant messaging for viruses and malware along with enforcing outbound content policies.

Next steps: security and compliance managementWith the above pieces in place, the ECI team collaborated

with Symantec Consulting Services to add Symantec Security

Information Manager and has Symantec Control Compliance

Suite on the deployment roadmap for later in the summer.

“We’ve assembled a number of pieces to the security puzzle,

and Security Information Manager brings it all together,” Il-

luz says. Enhanced security management will drive in excess

of $20,000 in productivity improvements over a period of

two and a half years.

“Information is at the core of our business, and it is our

obligation to protect it,” he concludes. “The loss of intellectual

property could literally mean millions of dollars in lost revenue

or millions of dollars in litigation. We’ve taken a compre-

hensive approach and have dramatically reduced our IT risk

exposure while driving substantial operational efficiencies.”

It’s Comprehensive—and It’s Integrated

s

ECI TELECOM


spend in 2009, including 27 per-cent reporting reductions in excess of 15 percent.3

Information is critical when it comes to healthcare; it liter-ally can mean the difference between life and death. However, before he could begin focusing on information—at rest and in motion—Presbyterian Healthcare Services’ Sassaman had to address fundamental security infrastruc-ture requirements. He began by implementing Symantec Security Information Manager to provide consolidated management and reporting across the entirety of

Presbyterian Healthcare Services’ security infrastructure.

Sassaman and his team then turned their attention to informa-tion. “We wanted to understand where the information resided, how it was being used, and who was accessing it,” he says. And Sassaman sought a solution with a long-term roadmap that would ad-dress information sharing not only within Presbyterian Healthcare Services but with other healthcare organizations. The team ultimately settled on Symantec Data Loss Prevention. “We call it our ‘data bloodhound’,” he jokes.

Founded: 1961

Headquarters: Petah Tikva, Israel

Locations: Offices in over 35 countries worldwide

Employees: Approximately 2,500

Website: www.ecitele.com Security Team: 2 staff, plus outsourcing team

Business Overview: Leading supplier of telecom networking infrastructure for service provider networks worldwide; offerings are platforms and services that enable key applications such as business services, voice, video, and wireless backhaul.

Symantec Security and Compliance Solutions:> Symantec Protection Suite Enterprise

Edition

Components Deployed: Endpoint

Protection, Endpoint Encryption,

Brightmail Gateway, Backup Exec

System Recovery


> Symantec Control Compliance Suite

> Symantec Security Information Manager

> Symantec Enterprise Vault

> Symantec IM Manager

> Symantec Consulting Services

“The loss of intellectual property could literally mean millions of dollars in lost revenue or millions of dollars in litigation.”

– Yuval Illuz, Head of Information Security, ECI

Podcast

VideoYuval Illuz discusses the comprehensive security and compliance program he and his team have rolled out at go.symantec.com/illuz-video.

Check out the Executive Spotlight Podcast with Yuval Illuz at go.symantec.com/illuz-podcast.

s

ECI Telecom

ra

Mi z

ar

ne

ga

r

“Security Information Manager is the ‘conductor of the orchestra’ for us.”

– Yuval Illuz, Head of Information Security, ECI


CO

VE

R S

TOR

Y

Information is intellectual property for ECI. “We develop a lot of source and patent code that is the lifeblood of the company,” Illuz ex-plains. “It is our obligation to protect it.” He has taken a holistic approach in protecting and managing informa-tion, and standardization has served as the methodological underpinning. In particular, the ability to leverage “layered” security and compli-ance solutions with an underlying technology infrastructure was the primary reason for his selection of Symantec.

With information in the fore-ground, he and his team elected to

address three solution areas: end-point security, messaging security, and data loss prevention. “The in-tegrated architectures of Symantec Protection Suite, Network Access Control, Brightmail Gateway, and Data Loss Prevention create unique opportunities for us,” Illuz observes. “The integrated stack allows us to monitor, manage, and enforce information policies across all of our disparate endpoints, data stores, and network.”

Robert Half International’s business is all about information; specifically, proprietary data. With the results of the IT risk assess-

ment in hand, Borrero embarked on developing a data loss prevention strategy that would address short- and long-term requirements. “When we did the proof of concept for Symantec Data Loss Prevention, few on the team believed that we could accurately identify information in a very granular manner without impacting the business,” he quips. “But we did.”

Using exact data matching and index data matching to define poli-cies for discovery, monitoring, man-agement, and enforcement, Robert Half International and Protiviti teams now have a comprehensive understanding of where and how data is being used. “We’ve gone from a very manual, reactive data loss prevention posture to a proactive, automated approach,” he says.

Looking beyond the “Emerald City”The threat management horizon shows that additional storm clouds are forming. Criminal activity will continue to prompt evolution in se-curity and compliance technologies.

Theoretical + Practical = Success

Evolution and development of a professional career is not something that happens by ac-cident. It typically requires careful planning and

execution. This is precisely the approach Yuval Illuz has taken with his career. He determined very early in his academic stud-ies that security and compliance were areas of real interest to him. “I constantly sought opportunities to combine my academic stud-ies with my professional responsibilities,” he says. “This gave me the ability to take the theoretical and turn it into practical action.”

Hands-on roles leads to managementIlluz, who holds a bachelor’s degree in com-puter science and management from the Open University in Israel and a master’s degree in management of information technology from

Clark University, and has enriched the degrees with several security and compliance certifications, began his career in a number of hands-on IT roles. “I wanted to ‘get my hands dirty’ by touching as many IT functions as pos-

sible,” he remembers. “Responsibilities involving security and compliance today require a broad understanding of nearly every aspect of IT. Without this comprehensive foundation, it is very difficult to catch up.”

Illuz began his security and compliance career as a security administrator at El Al Airlines and moved into similar positions with expanded responsibilities at NetVision Inc., one of the largest ISP providers in Israel, and Strauss Group, a leading food industry manufacturer based in Israel. “I had an opportunity to gain valuable experience and served as the information security manager during my last two years at Strauss Group,” Illuz says.

Experience and education coalesceIn early 2009, ECI’s executive management team recruited Illuz and charged him with designing and implementing a next-generation security and compli-ance strategy for the company. The comprehensive program he is driving touches on nearly every aspect of ECI’s business, and his broad educational and profes-sional background is proving to be extremely valuable.

s

YUVAL ILLUz

“Security will be defined by not only who can access the information but with whom and in what types of interactions–and even when.”

– Eddie Borrero, Director of Information Security, Robert Half International

ra

Mi z

ar

ne

ga

r


For example, Symantec wrote more security signatures in 2009 than in the previous 17 years combined, and the company is on track to replicate this feat in 2010.

But the challenges don’t stop with outsiders with malicious intent; it also extends to insiders who largely have good intentions at heart. In particular, consumer-ization of IT also introduces new complexities, ones that are still being played out. Millennials—Generation Y—grew up with tech-nology and assume that the same technologies they leverage in their personal lives will be available in their work environments. Their predilection for different devices creates various endpoint security challenges that must be addressed with comprehensive endpoint security solutions that include

network access control. Their heavy reliance on social media is something that hasn’t been lost on those who exploit individual and organizational vulnerabilities. And despite attempts by some IT orga-nizations to block access to social media sites, it is most assuredly a phenomenon that is here to stay; one that has the potential to drive operational efficiencies, enhanced services to customers, and even revenue.

“It is virtually impossible to stop what goes out on the social networks,” Robert Half Inter-national’s Borrero notes. “You can block access from corporate devices but not personal devices. And there is a viable business case around the use of social media.” Both ECI’s Illuz and Presbyterian Health Services’ Sassaman concur.

PodcastCheck out the Executive Spotlight Podcast with Kim Sassaman at go.symantec.com/ sassaman-podcast.

Founded: 1907 as Southwestern Presbyterian Sanatorium

Headquarters: Albuquerque, New Mexico

Facilities: 7 hospitals, 30+ clinics

Insurance Plan: 700,000 members

Employees: 10,000+

Security Team: 12 staff

Website: www.phs.org

Healthcare Offerings: A not-for-profit system of hospitals, a for-profit health plan, and a growing medical group committed to improving the health of individuals, families, and communities; hospitals, physicians, caregivers, and insurance plans serve more than 700,000 New Mexicans (one in three).

Symantec Security and Compliance Solutions:


> Symantec Control Compliance Suite

> Symantec Security Information Manager

“We don’t have any shortage of audits in healthcare, and more are coming.”

– Kim Sassaman, Director, Information Security,

Presbyterian Healthcare Services

s

Presbyterian Healthcare Services

cr

aig

Wo

oD


And all three of them argue that protecting information on social media sites involves a combination of technology and processes.

“The latest release of Data Loss Prevention includes built-in func-tionality to do everything from monitoring to enforcing policies

on social media activities,” Illuz explains. “We plan to extend this to our environment shortly.” Bor-rero and Sassaman have similar plans. Nonetheless, all three of them concurrently argue that suc-cessful data loss prevention must be broader than just technology; it

requires comprehensive security policies and employee training.

There is already a movement toward appliance- versus software-based solutions. “In many instances I’d rather spend time getting the actual solution implemented and configured correctly instead of in-stalling the software and getting it to work on the respective hardware and operating system,” Borrero notes.

The next logical step is toward the cloud. Interactions or stor-age of proprietary information in the cloud is a key concern for Illuz, Borrero, and Sassaman. But all three are also looking at ways to move security and compliance functions to the cloud. “We investi-gated traditional security func-tions such as messaging security or Web security,” Illuz says. “We also have looked at more complex solutions such as data loss preven-tion or compliance reporting and management.”

CO

VE

R S

TOR

Y

Siding with “The Good Guys”

Kim Sassaman always knew what he wanted to do when he grew up. “From the first time my hands touched an Apple II in junior high school, I realized that IT was for me,” he relates.

As a student at Sam Houston State University in Texas in the early 1990s, Sassaman discovered the

niche of IT security. “At the time, the uni-versity didn’t have security on its systems; so anyone could just walk in, sit down, and start exploring,” he recalls. “I started meeting people there, and soon found they were doing things they weren’t supposed to be doing.”

“I had an epiphany one day,” Sassaman continues. “I thought, ‘If I can access sys-tems so freely, what would stop someone from committing malicious crimes?’ I come

from a long line of law enforcement in my family, so I started wearing a white hat. I asked myself, ‘Who is securing our virtual borders?’”

Launching a security practiceAfter college, Sassaman did stints in the energy, tech-nology, financial services, and telecommunications industries—in roles that encompassed both engineer-ing and management. Each of these roles included a security component.

After serving as a security consultant for several years for International Network Services, Sassaman launched an IT security consulting practice as manag-ing director of a small firm called Orange Parachute. “Our firm was primarily focused on doing ISO27001 certifications for large multinational organizations,” he explains. “We honed our practice on building a quality security management program.”

Finding a home in healthcareIn October 2008, the CIO of Presbyterian Healthcare Services, Donna Agnew, approached Sassaman to remediate a plethora of IT audit findings. Sassaman worked at the site for the next six months and pre-pared a multi-phase proposal for moving security to the next level.

Presbyterian Healthcare Services then offered Sassaman a permanent position to implement the recommendations he had made. “I truly felt that my personal mission was evolving toward information security in healthcare,” he says. “I looked at a field that was young and growing, and that was exciting. So I decided to wind down my consulting practice and go to Presbyterian Healthcare Services full time.

“There are good guys and bad guys in the online world,” Sassaman concludes, “and I want to side with the good guys.”

s

KIM SASSAMAN

Source: “Unlocking the Value of the Information Economy,” HBR Analytic Services, January 2010.

Attitudes Toward Information and IT

Our organization’s information security policies hinder our ability to grow our business

The interests of individual business units hamper our ability to fully exploit information at an enterprise level

The IT structure in our organization is flexible and responsive to changing business conditions

Our investments in IT are primarily to reduce costs and drive efficiency

Our company has a cross-functional governance structure for making decisions about investments in IT

Our CIO is involved in discussions about new products or strategic directions from the start

We struggle to make the best use of the vast amount of information we have

Investing in IT is critical to growing our business

We view our information as a key strategic asset 45% 40%

23% 48%

17% 50%

16% 35%

12% 32%

9% 39%

8% 29%

7% 31%

4% 15%

cr

aig

Wo

oD


Evolution is ongoing, and informa-tion security leaders like Borrero, Illuz, and Sassaman are already looking to the next wave of security and compliance initiatives. Those will need to go beyond information to the actual identities of those participating in the interactions where information is exchanged. “We’re already seeing this with the Data Insight technology,” ECI’s Illuz observes. “A more granular and accurate picture of our information architecture, when applied in conjunction with our backup and storage retention policies, has the potential to drive substantial reductions in storage.”

Robert Half International’s Borrero adds: “Security will be defined by not only who can access the information but with whom and in what types of interactions—and even when.”

Destination: “Somewhere over the rainbow”The security and compliance profession has evolved into a much more strategic and sophisticated role within both the IT function and even business. Just a few years ago it was infrastructure-centric; the right antivirus, network, and gateway security solutions equated to a job well done. This is no longer the case. Success-ful security leaders manage security and compliance at the layer of information—and are looking beyond to subsequent permutations in the threat landscape.

At the end of the day, the goal remains the same as the aspirations of Dorothy, played by Judy Garland in the 1939 film, who sang the now signature song “Over the Rainbow” after arguing with her aunt and uncle. The lyrics of the song convey her desire to escape the travails of her aunt’s and uncle’s farm in Kansas; to be transported to a place where the clouds part and the rainbow appears on the near horizon. n

1 “automation, Practice, and Policy in information Security for Better outcomes,” it Policy Management group, May 2010.2 “unlocking the Value of the information economy,” Harvard Business Review analytic Services, January 2010.3 “in the crossfire: critical infrastructure in the age of cyber War,” center for Strategic & international Studies, 2009.

Patrick E. Spencer (Ph.D.) is the editor in chief and publisher for CIO Digest and The Confident SMB. Mark L.S. Mullins is a managing editor for CIO Digest and The Confident SMB.

Implementing a Security Strategy

After being hired as Presbyterian Healthcare Services’ first director of information security, Kim Sassaman and his newly-formed staff of 12 began plotting their strategy for implementing the technical recommen-

dations he had brought in as a consultant. They first developed an Informa-tion Security Management System (ISMS) based on ISO27001. This process identified several priorities. “First and foremost, we needed visibility,” he says. “Imagine if you purchased a car that didn’t have any gauges or meters on the dashboard. You would never know trouble was brewing.” Other requirements included compliance monitoring and reporting, as well as the development of policies and standards.

After evaluating several vendors’ offerings, Sassaman and his team concluded that Symantec’s IT compliance and data loss prevention solutions were the best fit for the organization’s strategic priorities. In the summer of 2009, Presbyterian Healthcare Services purchased Symantec Data Loss Prevention, Symantec Control Compliance Suite, and Symantec Security Information Manager.

Understanding data in motion“Data Loss Prevention has given us a deep level of understanding of how data is being utilized,” Sassaman notes. “The vast majority of employees are doing the right thing and just don’t know how to do it securely. We began with the Monitor functionality to get a picture of how information is being utilized.”

The team is now phasing in the Prevent functionality to enforce security policies that have been developed with input from all business units and honed through testing. “We’re doing this deployment very carefully, as we need to make sure that critical medical information gets through when it needs to,” Sassaman says.

Monitoring and reporting on security“We don’t have any shortage of audits in healthcare, and more are coming,” Sas-saman notes. “So Control Compliance Suite has helped us in many ways beyond preparing reports. The Standards Assessment Module has helped us to build configuration standards for our endpoints and report on how many are in compli-ance. The Policy Module helps us to build and enforce policies. And we’re looking at leveraging the Response Assessment Module to start testing people for awareness of security best practices.”

Symantec Security Information Manager gives Sassaman’s team an integrated view of the organization’s security landscape. “We have a lot of our controls reporting into it, and I have an individual who’s constructing reports and doing analytics on the information,” Sassaman notes. “It’s helping us a lot, especially with our change management program, because we can now detect changes in the infrastructure. It also helps us with process conformance because we can identify lapses inside of a process.”

Looking to the futureSassaman’s team is currently testing Symantec Protection Suite Enterprise Edition as a possible replacement for a variety of security technologies now found at the organization’s endpoints. “There’s a business value justification to combining several technologies into one agent, and it will improve efficiency to have products that integrate well,” Sassaman explains.

Sassaman and the chief technology officer are also evaluating the Altiris IT Management Suite to manage clients, servers, and assets. “Such a technology would benefit the security group as well as the infrastructure group,” he com-ments. “The fact that our CTO was previously a CISO means that I have a true partner in the infrastructure space.”

s

PRESBYTERIAN HEALTHCARE SERVICES

july 2010 cover story

Documents