A number of CISOs contacted for this article say their corporate intellectual property is adequately protected by the standard data security practices they already have in place. That could be true, but consider: Much of the attention in recent years has focused on protection of transactional data and personally identifiable information (PII), such as customer names and credit card numbers. That's what compliance regimes such as PCI DSS address. Intellectual property is much squishier and may live in different parts of your network—and of your filing cabinets and whiteboards and so on—from PII. And it is sometimes subject to a different set of legal protections.
So read on for expert advice on connecting all the dots and creating a more robust IP protection program.
Taking Stock of Intellectual Property
Unless you have already done this, and recently, the first thing you have to do is identify what your IP consists of and where it resides. This is no easy feat, as IP can be deceptively chameleon-like, taking multiple forms: structured and unstructured, amorphous and concrete, small shreds of things or entire databases, thoughts in someone's head or captured in a document. You need to explain to your employees and business partners in particular what your IP is, because if you don't, you can be sure they will share the information haphazardly and thereby reduce its value (at best) or jeopardize the company (at worst).
"We have gone through a significant effort to understand what we have in-house, what's commercial, where it resides," says Black. "Due to the speed at which we iterate, it's quite an effort."
After you've completed your IP inventory, the next step is to map the data, according to Gary Lynch, global head of strategic consulting for Marsh, a security advisory company.
"How does it get created, where does it get created, what happens to it? You have to look at all the stages of data formation and use all the way through to disposal, access, storage and transmission," says Lynch. Your IP data map then becomes your footprint for applying controls. (And, obviously, the data map itself will be a very sensitive document requiring excellent protection.)
Electronic protection of IP is different from protecting many other types of information. Often referred to as the "corporate jewels," IP is so precious it needs to be protected at a data and document level, as opposed to just at the level of the system on which it resides. Unfortunately, more draconian protections make it difficult to share the data, which is the order of the day in today's collaborative environments. "Public key infrastructure and general encryption are not very usable in an enterprise," says Ryan Kalember, who became chief marketing officer of WatchDox last month. "Users will find their way around the controls."
Sign up for Computerworld eNewsletters.