Intellectual Property Security: Don't Lose Your Head

Intellectual property isn't always easy to identify. It's even harder to protect. Here's how CSOs can work with others to protect their companies' future.

1 2 Page 2
Page 2 of 2

The best way to keep your IP inside the company, Pontrelli says, is to treat your employees with care and respect. "If you take care of them when they arrive and when they walk out the door, they'll respect the essence of the NDA; if you don't, the loyalty factor is diminished," he says. "Protecting IP is less about buying technology or hiring investigators to chase people. It's more about treating your employees right. If you make them not want to hurt you, you'll minimize your exposure. We can put up the biggest physical security barriers in the world, have the best IT systems and the tightest personnel screening program, but that won't stop a person from walking out the door with proprietary knowledge in his head."Beyond the PeopleUslan's mantra is audit, audit, audit. At Sony Pictures, his job depends on maintaining high levels of data security—particularly vital for industries such as his where large quantities of proprietary materials are electronically stored and transmitted. So it's not surprising that Uslan takes a vigilant approach to protecting Sony's internal IT systems. His department, which is part of Sony's information technology and protection organization, is the caretaker for all Sony intellectual property in digital form. "If it's on the computer, it's my job to protect it," he says. So he scrutinizes Sony's IT systems worldwide, testing every method by which his company stores and transmits content to make sure security is up to his team's high standards. He and his team are also regular practitioners of penetration testing, a practice that routinely turns up vulnerabilities that might otherwise not have been found until someone outside the company had exploited them.

Uslan's audits resemble an ambush by friendly guerrilla forces. He and his team bring in a group of tactical IT security experts specializing in whatever operating system or software program Uslan is auditing at the time. (The company's network and systems administrators are extremely competent, he emphasizes, but their job is to keep Sony's systems up and running, not to analyze security—hence, the specialists.) The group of experts descends on each Sony location and begins auditing at the macro level, analyzing the company's servers and operating systems, checking for known weaknesses, and patching where necessary. Then it moves a step down, looking at every software program and every network port, testing as it goes. Afterward, Uslan meets with the network and systems administrators to tell them about any new problems or vulnerabilities discovered during the audit. "It's not an antagonistic event," he says. "We tell them what we found, how we found it, the tools we used and how they can patch the systems to prevent more holes from occurring. By the end, we've got them excited. And we've helped make both the systems and the administrators stronger." As soon as the group completes one audit, it's on to the next location to begin the process again.

Uslan understands why he needs to keep more than his finger plugged in the proverbial dike. IP loss affects everyone at Sony and beyond. "IP theft means revenue that we can't pass down to the script writers, the prop masters, the costume designers, all the people who work hard on films," he explains. "When someone gets a movie for free on the Web, for instance, instead of going to a theater, it's a slap in the face." He's also seen what happens when people get complacent about IP security. "It's when you think you've got all the bases covered that something big goes wrong. You have to stay on top of the process."

It's easy for CSOs to place the protection of ideas a lot lower on the priority list than protecting buildings and employees. Like Uslan says, CSOs get comfortable protecting what they know. Still, "intellectual property is what keeps your company viable in the market," says the National Intellectual Property Law Institute's Chandler. "And CSOs must make protecting intellectual assets one of their highest priorities." Nothing less than the future of your company depends on it.

Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies