Sentries used to ask, "Friend or foe?" and were able to relax when the answer came back "friend." But in today's world of information technology, the question "With friends like these, who needs enemies?" is becoming a catch phrase, particularly among those with the title of chief information security officer (CISO). Those charged with protecting a company's electronic assets have had to concentrate their efforts on combating the growing trend of internal menace.

Over the last decade information security has moved from firewalls and stopping hackers to compliance and keeping the company out of trouble, explains Roger Nebel, who heads up the strategic security practice for FTI Consulting. He believes there is an increasing awareness of internal threats but points out those threats continually have been there. The focus for security has become internal–from screening employees and putting computer security controls in place to creating a need-to-know system where business users can look at one document but not another.

People in the security community know their job is to protect assets whether attacks are intentional or unintentional, according to Kevin Yeamans, IT security and compliance leader with GE Insurance Solutions. "Largely, the intentional threats were perceived to be external in nature, although you always have the threat of internal people stealing data and exposing it outside the company," he says. "But the larger threat always has been unintentional destruction or modification."