If there is one thing everyone agrees on when talking about the cloud, the BYOD movement, or the consumerization of IT in general, it is the fact that IT departments must adapt or face irrelevance. The need for change is perhaps even more important for information security offices, as the risks their organizations face increases, not only because of these trends, but because of changes in the overall threatscape. The attitudes and approaches to information security must evolve in order to effectively protect an organization’s information assets.
The disappearing network “perimeter”
Take, for instance, the network perimeter: a long time ago (by technological standards), maintaining strong defenses on the perimeter of the network (firewall, IDS, and so forth) was one of the most important jobs the information security office had. As long as nothing from the outside could breach those defenses, it was considered a job well done. IT departments became confident that their perimeter security was enough and internal security controls were far more relaxed. Today, the notion of an impenetrable perimeter is obsolete, brought down by the rise of the mobile workforce, BYOD and other changes, each one poking holes in the traditional network boundary.
There is no denying that the network perimeter is important, but as workers’ laptops or smartphones (regardless of whether they are company-issued or personal devices) routinely move in and out of the organization’s internal network or communicate with it via VPN connections or even the open internet, attention must also be placed on additional internal controls that assume that an attacker will compromise any of these devices or the applications they use and gain access to the internal network. Yet despite the evidence of this type of change around them, some IT departments (as well as some information security offices) live and die maintaining this concept of an “invulnerable” network perimeter.
Changing from the inside out
Perhaps the most important change security organizations can make is to alter the perception of what information security contributes to an organization. Sometimes there can be a serious disconnect between the information security office and the rest of the organization. This can be due to any number of reasons: for example, a security office might have played the role of traffic cop or referee in the past, punishing those that break the rules. This in turn creates the perception that the security office’s only objective is saying “No”. The idea that security is something negative that should be avoided lest it becomes an “obstacle” then becomes generalized among the business units and even among the rest of the IT department. Usually this manifests itself when projects move along without knowledge of the security office or its involvement arrives too late to make a difference. Other symptoms include willful disregard of security policies or advice and the active creation of workarounds to security controls.
Changing the perception that the security office is an obstacle can be difficult, but the results will be worthwhile. A good place to start is by becoming more involved in the day to day activities of the different business units and IT units. This way you will be able to detect the “pain points” of the different security controls and policies that might be perceived as affecting their work. This approach also gains you a deeper knowledge on how each unit operates and the information assets they actually depend on, which in turn, will allow you to provide them with relevant practical advice on how to operate securely and efficiently and how to protect their critical assets effectively.
Analysts and pundits like to tell us that we are entering a “post-PC” era, but regardless of how you define it, computing has become more personal than ever. In order to be successful at managing and mitigating the risks of our different organizations, security offices must also have a more personal touch, involving themselves deeply into how the business operates and become the asset the organization needs them to be.