Not long ago, they didn't talk to each other. Security folks and network administrators worked in their own silos, sharing little except log information. Compliance people worked with finance and accounting. Privacy people were mostly in the legal department.
As security breaches and compliance issues come to the fore, however, those silos are rapidly breaking down. Last week at the RSA 2008 conference in San Francisco, security experts and vendor executives were not only talking about communication between these formerly-separate functions, but about the convergence of security-related disciplines.
John Worrall, vice president and general manager of the Information and Event Management Group at RSA, agreed. "As companies see the breaches around them and the impact they can make, they're asking how they can be sure they're secure," he said. "Compliance is part of it, but compliance with regulatory policy might only address 40 percent of your security issues. To truly answer the question, you need to define what security is, you need to look at your internal security policy and see if it matches what you've set out to do as a business."
Many security vendors -- and some enterprises -- hope to achieve convergence of security and privacy efforts by launching an array of technologies and disciplines built around the concept of IT governance, risk, and compliance (GRC). But some critics have complained that GRC is too broad to be useful as a tactical solution. (See Too Much Access.)
In the shorter term, what's really needed are ways to improve communications among the various silos that have a stake in enterprise security, experts say. The networking people should be talking to the security people; the security people should be talking to the privacy people; and everybody should be talking to the compliance managers.
Some vendors and experts suggest that this communication will occur naturally as companies attempt to identify and secure their sensitive data and move toward a data-centric security model.
"What we need is a fundamental shift," said John Thompson, chairman of Symantec. "We need a risk-based approach that addresses data at rest and in motion. I need to know what sensitive information do I have, how is it stored, and how is it used. I need to set rules for archiving and encryption, and those policies must be aligned across the business."
Thompson's ideas were demonstrated in products at the show. RSA's new Data Loss Prevention (DLP) Suite, which will be co-marketed by Cisco, offers the means to analyze data, identify sensitive information, and apply policies for protecting it. (See RSA Takes Suite Approach to Data Leak Prevention.)
Other vendors suggest that the links between the silos can be made by integrating tools and processes bilaterally, without necessarily making a wholesale shift in the way that the enterprise handles data. For example, many vendors and IT departments are finding ways to integrate IT security and IT operations, two disciplines that formerly operated independently.
"When I first took over as CIO, our security people and our IT operations people were in separate groups," said Dave Hansen, former CIO at Computer Associates and currently senior vice president and general manager of CA's Security Management business unit. "Now, as we put in new operations teams, there are security people integrated into them."
CA, like other vendors that make both security management and network/systems management tools, is working to integrate the data from those applications so that operations people and security people can work together to locate the sources of potential problems. In interviews at the show, executives from Cisco, IBM, McAfee, and others all said they are working on the integration of security management and traditional enterprise management tools.
"We see a natural integration point between what we're doing with security information and event management (SIEM) and Tivoli [enterprise management products]," said Joe Anthony, program director for identity and compliance management at IBM's Tivoli unit. "There's a need for them to share information -- it probably won't be the same person operating both applications, but they both need to be able to pull information about user activity from the system."
A similar type of integration is taking place between tools that collect security event information and tools designed to track and manage regulatory compliance, noted George Kurtz, senior vice president and general manager for McAfee's Risk and Compliance business unit.
"In the last six months, we've built a partner program that helps us to partner with SIEM vendors so that we can share data," said Kurtz. "It takes a lot of time and heavy lifting to do SIEM, so it doesn't make sense for us to reinvent the wheel when there are a lot of vendors out there who do it well." SIEM tools can help companies collect the data they need to prove that that they are in compliance with regulatory and industry guidelines, he observed.
Like the enterprise management vendors, McAfee is also seeing a growing need for integration between security operations and IT operations, Kurtz said. "The systems and networks have to be up and running for the security people to do their job, and security incidents can affect operations," he said. "There are different views for different roles in the organization, but they all need to share some data."
New rules requiring disclosure of security breaches and the growing market for stolen personal information also necessitates a closer relationship between two other groups that previously didn't speak much: the IT security team and the corporate privacy team, experts say.
"Now when there's a breach, it's not just an issue of IT pulling the plug," noted Deloitte's Mears. "There are legal issues with disclosure. There are privacy issues if personally identifiable information is involved. There are brand issues if the breach is public. The question of how I respond to a breach has changed, and it involves cooperation by a whole group of people."
So how long will it take for all of these different enterprise groups to get together in some sort of "converged" model? "It depends on the organization," said an attorney who has worked with enterprises on privacy and security law. "If they don't have a problem, it might never happen. But if there's a breach, all of those people could end up in a room together pretty quick."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.