Home » Physical Security » Loss Prevention

In Depth

Intellectual Property Security: Don't Lose Your Head

Intellectual property isn't always easy to identify. It's even harder to protect. Here's how CSOs can work with others to protect their companies' future.

By Simone Kaplan

Page 5

The best way to keep your IP inside the company, Pontrelli says, is to treat your employees with care and respect. "If you take care of them when they arrive and when they walk out the door, they'll respect the essence of the NDA; if you don't, the loyalty factor is diminished," he says. "Protecting IP is less about buying technology or hiring investigators to chase people. It's more about treating your employees right. If you make them not want to hurt you, you'll minimize your exposure. We can put up the biggest physical security barriers in the world, have the best IT systems and the tightest personnel screening program, but that won't stop a person from walking out the door with proprietary knowledge in his head."Beyond the PeopleUslan's mantra is audit, audit, audit. At Sony Pictures, his job depends on maintaining high levels of data security—particularly vital for industries such as his where large quantities of proprietary materials are electronically stored and transmitted. So it's not surprising that Uslan takes a vigilant approach to protecting Sony's internal IT systems. His department, which is part of Sony's information technology and protection organization, is the caretaker for all Sony intellectual property in digital form. "If it's on the computer, it's my job to protect it," he says. So he scrutinizes Sony's IT systems worldwide, testing every method by which his company stores and transmits content to make sure security is up to his team's high standards. He and his team are also regular practitioners of penetration testing, a practice that routinely turns up vulnerabilities that might otherwise not have been found until someone outside the company had exploited them.

Uslan's audits resemble an ambush by friendly guerrilla forces. He and his team bring in a group of tactical IT security experts specializing in whatever operating system or software program Uslan is auditing at the time. (The company's network and systems administrators are extremely competent, he emphasizes, but their job is to keep Sony's systems up and running, not to analyze security—hence, the specialists.) The group of experts descends on each Sony location and begins auditing at the macro level, analyzing the company's servers and operating systems, checking for known weaknesses, and patching where necessary. Then it moves a step down, looking at every software program and every network port, testing as it goes. Afterward, Uslan meets with the network and systems administrators to tell them about any new problems or vulnerabilities discovered during the audit. "It's not an antagonistic event," he says. "We tell them what we found, how we found it, the tools we used and how they can patch the systems to prevent more holes from occurring. By the end, we've got them excited. And we've helped make both the systems and the administrators stronger." As soon as the group completes one audit, it's on to the next location to begin the process again.