CSO Counsels Restraint

LAS VEGAS -- Encrypting every piece of data at rest within an organization could be expensive overkill.

According to Al Kirkpatrick, chief security officer at information services firm First American Corp., many users may not need as much encryption as some industry sources are advocating.

Kirkpatrick, whose firm provides services such as document processing to the real estate industry, explained that he is responsible for "billions of records stored on terabytes of data," during his Interop keynote Tuesday. According to the exec, this includes the world's largest Microsoft SQL Server database.

But the security chief warned other IT managers not to buy into the "soundbite du jour" of encrypting all this information. "The jive that bothers me is that you have got to drop everything and encrypt all data at rest at the moment," he explained. "You have got to look at the whole puzzle -- you're not going to have enough money to do it all."

A number of vendors, including Decru, EMC, StorageTek, and IBM, are targeting this space, and a slew of offerings are available to encrypt data. (See Quantum, Decru Hook Up, IBM Certifies Decru, Decru Joins StorageTek Program, and Analysis: Storage Security .)

"I am not saying that it's not important," notes Kirkpatrick. "For some people [encrypting data at rest] will be very important, depending on what the data is, what type of database they have, and the protection around it."

But the exec says that data being moved from site to site on tapes worries him much more than information sitting on his back-end servers: "It's data in movement that scares me to death right now."

An IT manager from a Midwest financial services firm, who asked not to be named, agrees with Kirkpatrick's assessment. "Within the organization there needs to be some consideration of encryption for some types of data, but it's not critical. I think that encryption where you have data leaving your facility, however, is key," he says.

Even some storage vendors have identified encryption as an area where there are no quick fixes. (See Storage CTOs Debate Security and Insider: Encryption Means Planning.)

Kirkpatrick also used his keynote as a pep talk for IT managers with an eye on a career in security. "You have got to fundamentally understand all the domains of the technology," he explains. But he warns against getting too hands-on. "Once you have got to the chief security officer level, you have to trust the people around you to take care of the bits and bytes."

But the job is about much more than firewalls and intrusion detection systems, and Kirkpatrick warns that security chiefs need to think on their feet, fielding calls from the media one minute and "outraged" users the next. "It takes a lot of communication skills, and you have got to keep your cool throughout all of that."

A typical CSO, according to Kirkpatrick, is going to be pulled in a number of directions. "You have so many different constituents that are competing for your time and attention," he says, ranging from vendors to board members and auditors. "If you're not one to juggle this and handle it, it will drive you crazy."

IT managers looking to become successful security execs should also be extremely conscious of their firm's funding climate, according to Kirkpatrick, and make realistic demands for money. But conversely, they should not cave in to boardroom financial pressure. "Don't be backed into a corner. Don't let them con you into promising [security] for zero dollars."

Ultimately, however Kirkpatrick, warns prospective CSOs to brace themselves for tough times. "Bad things are going to happen unless you are an incredibly gifted, lucky, person," he says. "And, if so, I want to hire you so that your aura can follow me around."

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article: