On July 14, the Department of Defense announced a foreign government hacked into Pentagon computers and compromised more than 24,000 documents.
On July 15, one of the worldwide leaders in the field of information security spoke to about 200 Lab employees about top strategic security imperatives.
Gary Terrell, Adobe's chief information security officer, described the top strategic initiatives businesses must launch to meet the growing threats of worldwide cyber-crime. "Security leadership needs to fundamentally change its perspective and, in many cases, make a 180-degree turn to protect their digital assets," Terrell said. "And the time is now."
From Terrell's vantage point as president of the Computer Security Officers Council, he believes there are four important initiatives businesses should launch:
- Evolve security strategies from an "outside-in" approach to an "inside-out" approach. Terrell said he believes advances in commercial system security practices have reached a plateau and further development will cost too much money and incur too much user inconvenience. Instead, Terrell proposes businesses should focus on the data they are trying to secure and better monitor and manage how that data is accessed and manipulated.
- Related to the first initiative, Terrell believes a greater investment is required to protect data through more sophisticated encryption techniques. If businesses have done all they can do to lock up their data, and that data can still be reached, then businesses must make greater efforts to ensure that, even when the data is stolen, the data is useless to the thief.
- The momentum to move data from corporate-controlled systems and into private and public clouds is creating increasing problems in managing security. Terrell explained data used to exist on specific disks attached to specific computers linked by well-defined networks. Because data lived at specific addresses, it was much easier for computer security to watch the front door and back door, so to speak. Nowadays, data is floating around clouds that are loosely coupled and organized and may exist for mere minutes. Computer security doesn't know where the data actually is much less where and who and how it's being accessed.
- Mobile computing is exponentially increasing the security complexity. Not only is critical data being cached on an ever-growing number of mobile devices, more companies are "mobilizing" the data too. Increasingly, commodity business elements such as benefits and other human resource functions are outsourced. Heavily-regulated data such as an employee's sick days -- HIPAA data - might not be deliberately managed across the networks they must pass through between a time card on an iPhone and the virtual corporate data.
Spain says he has organized this series of talks to help the Lab better understand the issues related to computer and network security and different approaches to meeting these.
On behalf of Adobe, Terrell is active in several industry organizations, including the High Tech Criminal Investigation Association, the Computer Security Institute, the Information Systems Security Association, the Open Web Application Security Program and INFRAGARD, an FBI program run in coordination with the Department of Homeland Security that has a goal of protecting the country's critical infrastructure.