PGP Blogs

I had the privilege recently of delivering the keynote address at the 4th Annual IDC Security Forum in New York with Julie Donohue, IBM's VP of Security and Privacy Practices. Those of you who are regular readers of my blog know that I’ve been preaching the need to "Protect the Data" since we re-formed PGP Corporation 5 years ago. What I learned in listening to Julie is that the ideas we were promoting in 2002 have gone mainstream in a big way.

Julie did a wonderful job of explaining why implementing comprehensive and effective data protection strategies has become a mission-critical function for her at IBM. It turns out that she has to certify, in writing, once each quarter that her entire organization is in compliance with IBM's policies on privacy and data protection. She does, of course, have the advantage of having to comply with just one, all-encompassing policy that IBM developed in compliance with the COBIT* guidelines developed by the Information System Audit and Control Association (ISACA).

The most interesting thing I learned in listening to Julie was how the role of data security has fundamentally changed at IBM in the last few years. As she says, "Security is now a noun at IBM, not an adjective." It's a great line, but to understand what Julie means, it really helps to see the graphic she uses to explain it.

As we've said for a long time, the perimeter is now only the first line of defense. To implement a comprehensive data protection strategy, you need to constantly consider how to protect the data that’s never protected by perimeter defenses: laptops, smart phones, thumb drives, and even MP3 players now carry confidential information. You also have to determine how to protect the information that does reside behind the increasingly porous firewall "Maginot Line".

The decision to develop a new approach to protecting data indicates that IBM also now clearly believes that data is the "new currency" of the Internet (Corporate Currency). The approach IBM is taking to protect its own and its clients' data is to develop a suite of services that protect both devices and content and constantly evolve to address the ever more sophisticated threats we now face. It’s going to be interesting to see how far IBM goes down this path and how quickly. In the meantime, I would encourage anyone with information security and privacy responsibilities to take a few minutes to watch the keynote.

- Phil

*Control Objectives for Information and Related Technology