Employee security awareness, firewalls, data leakage protection, and collaboration are all key components of a healthy information security ecosystem, according to a panel at the MIT Sloan CIO Symposium held Wednesday.

The moderator, Owen McCusker of Sonalysts, asked the panel to describe what companies can do to create a healthy information security ecosystem.

Michael Daly, director of IT security services at Raytheon, said that his company has developed information security guidelines that include employee security awareness training, firewalls and data segregation, and “command and control blocking” that focuses on outbound traffic.

“There are always going to be vulnerabilities on your systems that are unpatched. There is nothing you are going to be able to do about it. So you ask yourself, ‘If I’m attacked, what am I going to do next?’ Watch for the traffic that is leaving your network. That is a key point”, Daly told conferences attendees.

Defense in depth is a key information security strategy, noted David Saul, chief scientist at State Street, a Boston-based financial institution. “You need to use all of the tools you have available”, he stressed.

“You need to have firewalls, you need to have data leakage protection….You need to have a combination of technologies…as well as employee awareness”, he said.

Saul also recommended information security collaboration across industries. He noted that there is an organization in New England called the Advanced Cyber Security Center that brings together information security experts from the financial, defense, health care, energy, and high-tech industries to share best practices and threat information and expertise.

Kurt Hakenson, chief technologist for Northrop Grumman’s Electronic Systems, added that collaboration should be not only across industries but also among industry peers.

“Security folks tend to be protective about information about breaches. There is always a balance about sharing that information with your industry peers. You will find that for the operational folks that are involved in the day-to-day work, relationships are critical. Being able to get on the phone is so important, because the adversaries who are targeting you are using the same techniques. They are socially aware”, Hakenson said.

Daly noted that Raytheon and Northrop Grumman are involved with the US government in Project Stonewall, a defense industry group that shares threat information in real time.

Allen Allison, chief security officer at cloud service provider NaviSite, said that providers also share information about security threats. “We undertake analysis of what traffic should look like, does look like, or can look like compared to the norm. We share that with all of our partners”, Allison noted.

This article is featured in:
Compliance and Policy • Data Loss • Internet and Network Security • Security Training and Education

There are always going to be threats and vulnerabilities in your infrastructure that are unaddressed, there is no such thing as an absolute security. Watch for the traffic leaving your company to monitor an incident and have a comprehensive incident handling program to manage an incident.

It’s all about priortizing risks and mitigating them in cost effective way.

Related Titles for Information Security Awareness