On the eve of the RSA conference in San Francisco, IT managers weigh security needs in the year ahead against other budget priorities such as technology upgrades and network accessibility.
At the same time, the idea behind systems security is shifting away from daily firefighting toward a more long-range preventative model.
Despite these competing interests, at least one banking company is forging ahead with major system safeguards. Community Bancshares of Mississippi Inc., a Jackson, Miss.-based common holding company for a group of separately chartered community banks, wanted to change its messaging platform, increase security and generally upgrade its network.
Having been an IBM shop for years, the company is switching over to Exchange Server 2007 and Office 2007 and bringing its firewall management in-house for closer monitoring and control.
"We've certainly been making a lot of changes," said Shannon Fitzpatrick, Community Bancshares vice president of distributed systems. Fitzpatrick and Jonathan White, Community Bancshares president of community operations, were brought in because of their Microsoft platform experience at larger organizations.
The security changes included implementing redundant Cisco unified threat management devices that check everything coming in from the Web, choking off spam and other email problems. Those devices are paired with Trend Micro Inc.'s anti-spyware software, and together they reduce spam and prevent criminals from accessing the bank's network.
"People are ecstatic because their mailboxes are no longer full of spam," White said. At the same time, combining software and devices helps keep employees safe and makes them more productive, he said.
"It helps us protect the company and the employees themselves," White said. "Because we're a banking company, security is very, very important."
For Wendy Williams, MIS director for Koss Olinger Financial Group Inc. in Gainesville, Fla., security is equally important. The company helps people make financial investments, and it must keep that data confidential. "Customers want access to their financial data," Williams said. "They want the convenience of receiving it in their mailbox, but we have to make sure it is secure," she said.
This year her department's focus will be on encrypting email so customers can conveniently yet securely get their investment information. She is developing a proposal on it for company officials, but the first step is to become a certified authority so that email can authenticate before they are sent or received.
Focusing on policy-based security
For many companies, government-regulated compliance can take up much of their security focus.
"We've seen an industry shift to policy-based security from vulnerability-based security," said Adam Lipson, president and chief executive officer of Pearl River, N.Y.-based security consulting firm Network & Security Technologies Inc.
Policy-based security is built around proving the identity of authorized users and levels of access within the system. In contrast, vulnerability-based security revolves around specific threats, he said.
In the end, Lipson said, policy-based security brings a company more security. He used the example of how to protect a house.
"With a policy-based security system you are saying, 'let's see what we need to protect ourselves,'" Lipson said. "We need locks on the doors and the windows. If someone breaks a window, we need a second line of defense. We need an alarm system. But you may not need a vault or a stainless steel door. So it may take a little more time monitoring and executing, but, overall, it will be more secure," he said.