Coined several years ago, the term "extended enterprise" acknowledged that organizations are no longer just made up of employees and management, but also encompass partners, suppliers, service providers, and customers. Taken to the next level, today's "hyper-extended" enterprise is exchanging information with more constituencies, in more ways and more places than ever, enabled by technologies such as cloud computing, virtualization, and social networking.

Describing this new landscape, Roland Cloutier, vice president and chief security officer for EMC Corporation, says, "The enterprise is drastically changing, not just who we connect to or how we connect to them or who has access to what information, but the basic premise that our enterprise or corporate operating environment is now migrating outside of our basic operational control infrastructure."

Adding to the challenge, a difficult economic climate is motivating enterprises to achieve extreme levels of efficiencies and speed of operations. For example, many are aggressively pursuing outsourcing relationships encompassing new technologies (such as cloud computing), new partners, and new locations beyond traditional offshoring centers.

New levels of risk tolerance

In the meantime, risks and threats are growing exponentially while the resources available to mitigate them are on the decline. As a result, businesses may be willing to assume potentially dangerous levels of risk, without sufficient due diligence or consideration for information security. As Craig Shumard, chief information security officer for Cigna Corporation, explains, "People will talk in terms of 'risk acceptance.' And essentially they'll move the bar to satisfy whatever they want to spend, as opposed to necessarily looking at it from a risk standpoint. I think there will be a very high risk tolerance when they don't want to spend the money on security."

In this climate, a new paradigm for information security is sorely needed. In the most recent report from the RSA-sponsored "Security for Business Innovation" series, a panel of top information security executives offers its analysis of this emerging terrain and provides recommendations for developing an updated information security model that reflects the opportunities and dangers at hand. On the following page is a summary of key recommendations from the council.

Recommendation:
Rein in the protection environment

Figure out ways to use resources more efficiently. Curtail the use of security resources for protecting extraneous information assets, stored data, and devices. You will reduce risk and free up resources for high-priority projects.

Rationale: "One of the challenges for security professionals is to be able to make informed triage choices that are necessary when you're dealing with such a fast-paced, dynamic, global set of threats, challenges, risks, and domains. So you have to develop this ability."
—Bill Boni, corporate vice president, information security and protection, Motorola

Recommendation:
Get competitive

Move away from silos of security to centralized, shared services that are provided by the information security department to business customers across the enterprise. Increase the focus on service quality and efficiency. Otherwise, business units will "do it themselves" or go to an external provider.

Rationale: "Remember, security is a product. Products today have to be at the right cost to be competitive. So cost is always going to be important, because you're not going to have the comfort of big budgets now.... The other part is how you deliver that program. It has to be efficiently and effectively executed."
—Dr. Claudia Natanson, chief information security officer, Diageo

Recommendation:
Proactively embrace new technology on your terms

Accept that it's not feasible to simply say "no" to emerging web and communications technologies. Rather, figure out a way to enable the secure use of cloud computing, social networking, and virtual desktops.

Rationale: "Security officers have to be out there explaining to other executives and senior people in the company how they're going to approach the move to the cloud.... And if the business wants to move faster, you'd better have an answer about what resources you'll need to get it done faster, because if... you say, 'I don't know,' you're going to be a former CISO."
—Roland Cloutier, vice president, chief security officer, EMC Corporation

Recommendation:
Shift from protecting the container to protecting the data

A great deal of enterprise data is processed and stored in containers not controlled by the enterprise. Security needs to shift the focus from protecting the container to protecting the data itself. Rights management and digital XML paper are examples of up-and-coming technologies that embody this principle.

Rationale: "Consumerization will force enterprises to allow people to bring in their own devices. From the security point of view, you need to be able to focus completely on the data elements and not care about the kind of device or if it's internal or external or whatever."
—Andreas Wuchner, head IT risk management, security & compliance, Novartis

Recommendation:
Collaborate to create industry standards

Uniform standards need to be developed in key areas including updating the accreditation of information security professionals, interoperability standards for cloud computing, and standards for third parties to assess providers of cloud services and business-process outsourcing.

Rationale: "Information security has become too important a subject to allow someone to read a book and then carry out the work.... Professional accreditation would ensure that security knowledge and capability meet an accepted standard, and skills can be cross-recognized."
—Dr. Paul Dorey, former vice president, digital security and chief information security officer, BP director, CSO Confidential

Recommendation:
Share risk intelligence

To learn from each other's experiences and defend against the international fraudster ecosystem, enterprises, law enforcement, and government need to cooperate more closely—for example, sharing information about security incidents, vulnerabilities, fixes, and known perpetrators.

Rationale: "We need to develop an intelligence capability so we know what's coming, and we can prevent things from happening in the first place.... It means moving to a more preventative security model and being able to share information with each other."
—Dave Cullinane, vice president and chief information security officer, eBay Marketplaces