Aug 14th, 2008
IP Protection and IT Security
I am one of those security enthusiasts. You know, we get excited, and guarded, when someone brings up a topic related to security. As years go by, I learned not to chime in until I am certain that the audience are also professionals. It is best for normal people not knowing this part of myself.
I am also an engineering manager. When I have a goal, I lay down plans to optimize the probability of achieving said goal. These days, the plans always have a large socialization element: the part to obtain support and agreement from certain groups of people. Yes, the plans must also get resources and time element right. I have seen, and experienced, too many failures that root caused to poor socialization. Call it the tipping point requirement.
It is easy for enthusiasts to effect change via scare tactic, not much different from one from any insurance salesperson. “You are not protected.” What follow are usually a list of scary vulnerabilities and a broad request for money. They response from senior management is usually grave concerns and the approval for further studies. Teams get formed, people get busy, time passes, a thick report and a slide deck materialize.
And it usually gets no where. Frustration. Down morale. Team meetings become a venting venue. Gradually, it dwindles into bare existence. A couple years later, a new comer finds it, infuses some energies, and repeats the whole process.
There is a more practical approach: treat it as an engineering project and and manage it like one. Six-sigma world has a well defined methodology: DMAIC. It may sometime feels too heavy, but the spirit is pretty much good engineering common sense.
First, identify widely agreed and easy to implement IT security best practices and deploy them one at a time. Let me repeat: widely agreed, easily to implement, one at a time. The idea is to put the whole company on solid footing on the basics. While doing these, purchase several penetration tests. These are the steps for preventing inadvertent employee leakage and casual opportunistic thefts. When the barrier is just high enough, these petty attempts disappear.
With basic barriers in place and well-practiced, the company can move on to the next step: identifying the assets to protect. The normal ones are: engineering IPs, company planning documentation, company brands, personnel data, etc. Not only the assets must be known, the damages incurred when they are compromised also should be fairly assessed.
At the same time, agree on the villains: malicious employees, current competitors, future competitors, professional hackers, etc. An assumption on their organization and funding must be examined and documented.
These two steps essentially create a two-dimensional matrix: one axis being the assets and the other the villains. One can sort the rows and columns so that the most extreme cases converge at one corner and conceptually forming a ladder of value and vulnerability.
The next step is a function of resources and skill-sets: good engineering projects. That’s the easy part.