Many organizations fail at data discovery and classification because they leave it up to an IT team to undertake the project, Brock said. The business needs to own it and policies eventually have to be driven down to ensure that the business owner takes accountability for the crown jewels, he said.
Once each business owner was identified, the company started the more difficult process of analyzing how to protect the individual corporate assets. DuPont started with rolling out stronger encryption and moved to data leakage protection.
"We looked at all those different tools and in each case we found that you had to get the owners and users to find the right way to protect it," Brock said.
The biggest issue at a high-tech company with a massive research development budget is how to protect the research without placing too many restrictions and stifling creativity and ultimately innovation, Brock said. When building security controls around research information, the company got technical leaders within research to become control points to identify who should have access to data.
"The research organization was very concerned about the potential of restricting collaboration," Brock said. "It's very difficult to determine where the next breakthrough is going to come from; the breakthrough in business unit A may come from something that business unit B discovered in the way certain polymers and processes are being used in that business."
According to Brock, two-factor authentication and other multifactor authentication technologies are vital to thwarting attackers and reducing the risk of a data security breach. An important approach to truly strong authentication is to use an out-of-band type of technology, which makes it even more difficult for an attacker to target, Brock said. DuPont was an early adopter of two-factor authentication, using RSA SecurID in 2002 and 2003. The organization started a migration in recent years to PKI with certificates on USB drives to authenticate users into Microsoft SharePoint using a solution from Symantec and its VeriSign unit.
"With phishing and drive-by exploits we knew you can easily bypass a firewall, so the issue was how to keep the data in," Brock said.
How did Brock keep his job after so many security incidents? Brock credits his long history at DuPont working in various roles and a strong understanding of the organization's various business units.
"I had a broader perspective than just IT, which enabled me to build collaborative relationship across the businesses and really drive the ownership well beyond what IT can do," Brock said. "It takes business leadership and functional leadership to be very focused."
PUBLISHED MAY 13, 2013