SAN DIEGO -- Storage Networking World -- Maverick staff, portable media, and stolen laptops are just some of the issues keeping CIOs and IT managers up at night, according to a panel discussion here this week.

Execs agreed that their data protection strategies are coming under greater scrutiny in the aftermath of high-profile security snafus at the Department of Veterans' Affairs, ChoicePoint, and Time Warner (See On the Brink of Storage Disaster, ChoicePoint Fined $15M, Time Warner Talks About Lost Tapes, and The Year in Insecurity.) "There's a lot more visibility on the breaches and compromises," said Michael Cole, deputy CIO of defense contractor SAIC. (See SAIC Stretches Database Limits.)

The exec admitted that he received a serious wakeup call soon after joining SAIC two years ago. "Shortly after I came on board we had an experience where some burglars broke into one of our buildings and stole about eight laptops," he said, explaining that the laptops contained personal information on employees. "It was very shocking for the company to go through an experience like that."

Since the theft, SAIC has developed a comprehensive strategy for dealing with both physical and cyber security. "As good as we're getting at this thing, this is the one thing that keeps me awake at night," said Cole.

Another panelist, Richard Villars, the vice president of storage systems at IDC, highlighted the emerging risk posed by maverick, yet influential, members of staff. To illustrate his point, Villars used the example of a Wall Street trader he encountered who was bringing in $600 million a year to his employer.

The trader, who had his own NAS, refused point-blank to let his firm get their hands on this kit. "They tried to take it out to do a consolidation [but] they had to put it back in," said Villars. "This guy made so much money, he was treated like a God."

Letting individuals ride roughshod over corporate data and security policies is simply asking for trouble, according to Villars, who warned that some business analytics experts are a law unto themselves. "You will make exceptions for geniuses, and that's where the breaches can happen, because geniuses can lose their laptops as easily as anyone else," he said.

Six Flags Theme Parks, on the other hand, has been careful to limit data access for its employees, many of whom are seasonal workers. "On our point-of-sale systems we're moving more and more toward touchscreen only, no keyboards, locked down systems where you can't plug your iPod in any more," said Michael Israel, the firm's senior vice president of information services, and a security panelist.

The exec explained that Six Flags, which owns 29 parks in the U.S. and Mexico, is in the middle of a major IT restructuring, which involves "segmenting" different parts of the business for security purposes. "For example," he said, "if we bring Kodak in to sell photos to our customers, they are on their segment and it can't be hacked into."

Encryption was also high on the agenda during the panel debate, prompted by the apparent ambivalence of many IT managers toward the technology. (See Encryption on the Back Burner, Encryption's Hard Truths, and Vendors Dive Into Data Protection.) An electronic poll of around 300 audience members revealed that the majority (53 percent) do not encrypt any data. Just over a quarter of respondents confirmed that they encrypt laptop data, although only 8 percent lock down data on all devices, such as USB drives.

The biggest gripe from the panelists concerned the lack of security for portable media such as USB drives, which is something of an ongoing source of frustration for many IT managers. (See Users Go for Data Lockdown.) "It's amazing how much data is stored beyond the PC on external drives," said Cole. "The [security] technology is starting to catch on, but there's no great solution yet."

— James Rogers, Senior Editor Byte and Switch