Today is a nice day. It is 78 °F (25 °C) and sunny here in Garden City, NY. Today, I decided to actually take a lunch break and stroll over to Subway for a bite. On my way out, I snatched the latest copy of ISACA's Information Systems Control Journal. Although I did not get much past the guest editorial by William C. Boni, titled Mobility Changes (Almost) Everything! (membership required) it was worth a good read. Mr. Boni writes:
"The notion of treating an organization's network as if it is a discrete environment and developing security solutions to guard against the threat of outsiders is dangerously outmoded and an incomplete concept. We need to understand that this pernicious and outdated concept still affects our approach to protection, and many people continue to operate as if physical location is a reliable measure for protecting organizations against risks of information theft or loss."Very few active practitioners of the information security trade will disagree that the perimeter is fading, and that we are facing an increasingly mobile workforce. I blogged about this before, and I doubt that this will be my last post on the topic.
ISACA Information Systems Control Journal, Volume 3, 2008
What I have always left unsaid, but what Mr. Boni clearly points out, is that we must realize that only very few people really understand
the consequences of this development. Most of our (implicit) thinking
still revolves around the old fortress metaphor; as long as you are on
the inside, you are safe. The way that most of us architect the
locations firewalls and Intrusion Detection/Prevention Systems, etc.
are all lively illustrations of this way of thinking.
Unfortunately, the view of an organization as an entity with clearly deliniated IT boundaries is no longer true (if it ever has been); modern organizations are not castles or strongholds, they are open entities with a very large number of interdependencies to business partners, clients, suppliers, governments, financial institutions, etc. Our global economy depends on organizations working together and adding value at each link in the value chain. Information security professionals need to be aware of that.
Mr. Boni also writes:
Sometimes that adaptation will be facilitated through innovation, but more often it is through communication. Both processes relay heavily on information procesing, and as information security professionals, it is our job to facilitate these procesess to happen efficiently, effectively, and securely.
Unfortunately, the view of an organization as an entity with clearly deliniated IT boundaries is no longer true (if it ever has been); modern organizations are not castles or strongholds, they are open entities with a very large number of interdependencies to business partners, clients, suppliers, governments, financial institutions, etc. Our global economy depends on organizations working together and adding value at each link in the value chain. Information security professionals need to be aware of that.
Mr. Boni also writes:
Increasingly, new products, services and solutions require near-constant innovation. Innovation in a global community--the creative spark that envisions new experiences, products or services creation--comes as often from the ad hoc, unstructured, interpersonal and interorganizational discussion, as it does from formal research initiatives.That observation is spot-on, and it is something we must listen to very well. Information security efforts must be aligned with business needs (essential truths: never say no), and most businesses need to constantly adapt to changes in their environment.
Sometimes that adaptation will be facilitated through innovation, but more often it is through communication. Both processes relay heavily on information procesing, and as information security professionals, it is our job to facilitate these procesess to happen efficiently, effectively, and securely.
Leave a comment