Compliance isn't just about securing your resources, it's about managing risk. So says Sara Santorelli - and as the CTO of Verizon Business, the network service provider formed by the merger of the enterprise networking assets of Verizon and MCI, she should know.

Her job puts her in charge of a large part of what the rest of us see as 'the Internet'. Her network connects many millions of users, including around three million mobile workers who are now introducing new risks via new technology such as smartphones. As a result, it generates two and a half million security events a day.

There's several lessons to be drawn from all that, she says. For example, first you have to decide which of those security alerts are the important ones, and secondly, in these days of regulatory compliance, there are people who may want to know what you secured and how.

Santorelli says that as a result, increasingly her job is not about network and IT security, it's about risk assessment and risk management.

No absolutes in network security

"Security is not absolute - you can't guarantee it's perfect," she explains. "You have to build a risk management programme, so as you protect your systems, you protect the right ones."

She adds, "The problem now is you don't just have to secure your resources, you have to validate that you secured them. So we have developed a risk assessment process to demonstrate our effectiveness and results."

When it come to assessing the threats present on the network, Verizon does have advantages that other organisations might lack. In particular, the fact that it carries so much Internet traffic means that it has greater visibility into what's going around than others do.

For example, if a site is known to be 'black', then it's a good guess that traffic from it may be worth investigating. As Santorelli points out, "The bad guys test their code over our network too, and we collect data on that."

Honeytraps can be used too, both to distract would-be hackers - a server named for the CEO, perhaps - and to see what what comes along and tried to infect it and its local network. After all, says Santorelli, you have to get code onto a machine in order to start propagation.

She adds that protecting a system or managing a device is - relatively speaking, at least - the easy part. After all, you know your objectives, or you ought to, and it is a measurable process.

Understanding the risk

The question is how much do you protect it, and who from? And you cannot answer that question without knowing what you need to protect and why - ie. what the risk might be if that system or the data on it is lost or exposed..

"Making decisions about policy - that's the hard part," she says. "As well as operational risk, my metrics place an extra load on a system depending on what data it has.

"Know where your data is - it seems really basic, but you need a repository showing what's on where. There is an extra risk factor too if the system is Internet-facing."

Then, once you have decided on your policies and applied them, you need to check that what you think is happening really is happening.

"Every year you need to hire someone who's not seen your network before to test it," Santorelli says. "I use the same (penetration testing)vendor for two years then switch, because I want a fresh approach."