In the early history of America, there was a man named Willie Sutton who was an infamous bank robber. When he was asked why he robbed banks he sarcastically replied, “. . .because that’s where the money is.” While this answer may have been fabricated it aptly captures the choice of target. More than 70 years later the metaphor applies to how cyber criminals target corporate information stores – it’s where the money is. The difference between a high profile bank heist and the theft of millions of confidential records by cybercriminals is that there are many more points of entry further complicated by remote accessibility. Today, instead of one armed guard protecting the vault from a masked man, the maturing security industry provides many electronic sentries but not always with the same result.

The vendors who make up the enterprise information security industry have been prolific in producing technologies and products that protect data. There are products designed to protect data stored in laptops, databases, fileservers and protect data being transferred inter and intra systems, between e-enabled applications and between partner systems or wireless devices using all types of protocols. By virtually any measure the array of industry offerings have been successful in providing the advertized protection.

Building on these advancements, the businesses are able to provide wider access to applications and information to a broader audience of customers, partners, and employees utilizing a dizzying array of access methods, protocols, and devices. The information security industry has continued to grow by providing even more technologies and products. Success breeds success; the information security industry has been enabling business growth and businesses are scooping up protection as fast as it becomes available. The result of more protection is more complexity. The challenge for businesses today is managing the very complexity they’ve created by adopting more and more of the innovation that the industry serves up year over year. Following is a closer examination of three factors contributing to complexity:

First, the very infrastructure, which most enterprises now have in place to protect themselves, is growing and becoming more complex. The infrastructure generates so many ‘observations’, in the form of logs, that they are blinding the enterprise with information overload. In fact, in many organizations it would be fair to say that it is data overload. The logs generated by information security products are obscure enough to not even be informative in their original form. Compounding this problem is maxim made famous by Claude Shannon, the famous Bell Labs scientist: “The enemy knows the system”. Simply put: the ‘enemy’ activity is indistinguishable from legitimate activity – especially when examined through the perspective of a single system.

Second, government and industry regulations have added another dimension to the job of managing an already complex landscape. Varying in details and demands, many companies are subject to multiple regulations. All regulations have the same intent - to ensure that enterprises exercise due care in protection of information assets for the benefits of their customers, shareholders, employees, and in some cases critical infrastructures for national defense. However, their requirements and the audits that assess their effectiveness do vary. While some organizations have embraced the regulations to fortify internal policies and demonstrate security best practices, for most organizations compliance with the regulations has driven IT’s investment in enterprise security.