When CIOs stop buying computers that lack public-key encryption tools, that's when companies will begin to get serious about data protection. When CIOs start using encryption communications services that permit only messages to and from whitelisted sources, that's when IT management will be seen as serious about securing business information. Until then, IT executives are merely pretending to defend their companies and their people.
It's up to CIOs to take the lead in this, and I'm flummoxed as to why the top IT leaders at the biggest and best companies are afraid to tackle the issue head-on. When the big manufacturers latched onto the notion of electronic data interchange, suppliers around the world had to adopt the technology or lose business. When Wal-Mart demanded that its suppliers use RFID, companies raced to see who could get there first. But to date, no big IT organization has told its stakeholders that henceforth all communications will be secure, meaning "use encryption and get on our whitelist or get lost."
It's time for CIOs to stop dillydallying with Band-Aid solutions like "endpoint" security and arguing about the finer points of agent or agentless approaches. The only serious issues to debate revolve around encryption key management and which encryption services to use. Stop yakking. Act.
Our messaging systems, thanks to the Internet and mobility, are in dire straits because of malware. Take viruses. Chinese antivirus firm Rising reports that last year, 234,211 new viruses appeared in China alone, with 90 percent of them designed to steal information from users. Postini (whose service Computerworld uses to filter its considerable malware and spam) reports that in December 2006, 94 percent of all e-mail sent was spam. The 2007 Postini Intelligence Report goes on to fret that the existence of botnets, which are hiding behind more than 1 million IP addresses, "threatens the viability of e-mail as a productive business tool." And the overhead for processing mail leapt 334 percent in 2006 because of tricks such as image-based spam, says Postini. In effect, the IT resources needed to deal with evil e-mail tripled last year, while fewer than one in 10 of the messages was worth receiving.
If you think the big IT vendors fully grasp the problem, think again. In 2004, Bill Gates told the World Economic Forum that spam would cease to be a problem. "Two years from now, spam will be solved," he said. Not quite. Vendors won't solve this problem. You will, by taking the lead to accept only encrypted messages from known entities on your whitelist.
Here's how you do it. First, jettison the snail-mail mentality that believes electronic messages should be treated exactly like communications handled by various nations' post offices, which endeavor to deliver all letters and packages to any address on their countless mail routes. Certainly, such a system made complete sense during the Age of Enlightenment, when postal networks emerged in the West. And it still serves us extremely well today. But e-mail, instant messages, text messages and the like aren't the same. Just because someone gets your Internet address, there's no earthly reason to assume that person has the right to deliver something to your PC in-box without your approval, especially when the contents of so many messages contain programs designed to waste your time, destroy your data, steal your identity or rob you blind.
Second, IT should encrypt all messages going out of the company and accept only encrypted communications from sources that it subscribes to, using a publish-and-subscribe model between the organization and outsiders. There are numerous companies -- Hush Communications , Lux Scientiae , Microsoft and PGP , to name a few -- that offer encryption products and/or services and will gladly provide publish-and-subscribe-style communications.
Third, you will need to plan for transition problems. Companies and people with whom you now communicate in clear text freely over the Internet will complain about having to subscribe to your whitelist and add encryption tools to their organizations. You'll need to tell people that effective security is now part of the cost of doing business with your company, just as you did when people started whining about EDI and RFID. Naturally, you will need to develop business processes to let people in your organization add their friends and family members to the whitelist and get them accounts on public encryption services. Those are minor details.
The big win will be in security. Think about it: If all your communications are encrypted, and you manage the keys and only those on your whitelist can get through, malware will wither and die. That's serious security.