"What we got here is ... failure to communicate."

That iconic line, perfectly delivered by the great Strother Martin in the film Cool Hand Luke, aptly sums up the relationship between security forces and database administrators. The tie-in is especially strong because both the movie and an IT Business Edge interview with a database security vendor exec deal with the law.

OK, the fact that database administrators (DBAs) are the de facto gatekeepers for one of the most important and under-protected areas of corporate security seems, at first glance, to have nothing to do with eating 50 eggs in an hour, as Paul Newman did in the movie.

DBAs' lack of a role in database security is ironic. Nowhere else in a modern organization does more valuable data reside than in the databases. And the problems are piling up. This week, Oracle was slated to release a whopping 46 patches for its databases and related products. In this landscape, it's strange that the experts -- the DBAs -- don't seem to have a full seat at the security table.

But they don't. Rani Osnat, the marketing VP for Sentrigo, described an environment in which the DBAs and CISOs exist in their own discrete worlds:

[T]he network admin knows the network and CISO knows the security requirement. But they don't know databases, the databases administrator does. This is where we see an issue. We've had a lot of response from DBAs saying they would really like a solution that protects the databases.

Osnat is not the only person thinking about DBAs and database security. This posting at the aptly titled Musings on Database Security acknowledges that DBAs are in a unique position to cause trouble, since they have easy access to an amount of sensitive data that hackers outside the firewall can only dream of. He follows Osnat's position that for this reason DBAs must be a key part of the solution.

• Read our full interview: Tap Database Administrators for Security Before It's Too Late.

Another individual who seems to agree is Application Security Inc. vice president of marketing and strategy Ted Julian. In this YouTube podcast, he says there are five steps to a comprehensive database security program: discovering assets; penetration testing and auditing; remediation of problems; real-time monitoring; and encryption of the most sensitive assets. The two that will get the most attention during the next year, Julian said, are vulnerability assessment and active monitoring. Both of these involve, to some extent, the oversight of DBAs.

There are several reasons that DBAs have to be part of the security program. Perhaps the most important is that trying to secure the databases without their help is fruitless. Said Osnat:

We think there is no substitute for involving the database administrator in implementing the solution. One key reason is databases have very specific vulnerabilities. Only the database's administrator knows what the vulnerabilities are. You can generically give some protection to databases. If you want to give them good security there has to be some adoption or configuration that is specific to the database. You can't do that without the knowledge that is held by the DBA.

It's in everybody's interest to improve database security. A breach can result in lost data which, of course, is bad for the organization and security personnel. It's also bad for the DBA, who is naturally the most likely suspect. Indeed, Osnat said that DBAs welcome initiatives, despite the increased scrutiny it brings.

The DBAs usually are the most eager to get the solution, even though they know it's there to monitor their actions as well. They feel exposed where they are. They know databases are exposed. They know that the enterprise is not doing enough to protect it and they know who is going to get the blame if there is a breach.

Looking at it from an isolated standpoint, it seems clear that protecting databases is a vital undertaking. The challenge is that every security step -- from keeping crackers out, keeping vital data in and myriad other pressing concerns -- appear to be just as vital. Will database security get lost amidst all that noise? Osnat thinks not:

In our case, things actually have improved. Database security actually is climbing up the ladder. Companies are saying that this year or next year they will do something about it.

Eventually, he says, database security may be subsumed in a bigger structured offerings, much as various perimeter measures are now flexibly slipped in and out of network access control (NAC) product offerings.

On the host side, a lot of host solutions will be swallowed up by the application vendors. So database security will be a bigger feature of database management systems or become part of a network appliance that do a lot of things in addition to reading SQL statements on the way to and from the database.

Perhaps more high-profile cases -- such as the theft by a DBA of 2.3 million records that allegedly were stolen and sold by a DBA with access to Fidelity National Information Services -- will help the message get through.

So far, however, it hasn't. At the Gartner IT Security Summit last month in Washington, D.C., Application Security Inc. and the Ponemon Institute released a survey that said 40 percent of organizations don't monitor their databases. More than half of these companies have 500 or more databases, the release notes. Fifty-seven percent of respondents think malicious insiders were the biggest threat. That's good news in that a problem is acknowledged, but bad news because DBAs are the most inside of insiders.

Clearly, the industry must eliminate the barriers and bring database administrators into the security fold, both for their sake and the sake of the organization.