Tony Lock, originally published on The Register
Ask any IT manager, business leader or regulator and they will tell you that IT security is important – that much goes without saying.
As the chart below shows, for many professionals the role of security in IT is now seen to be a fundamental part of delivering day to day IT service to users, wherever they are, whenever they need service and using whatever device is best suited to the task.
It is no longer a separate entity that only succeeds in adding complexity to an already difficult occupation. But as IT and networking technologies become more complex and as business demands for service flexibility grow is it time for IT professionals to rethink security?
A major challenge for everyone is keeping up with just how quickly the “security” landscape is changing. We know that the traditional drivers for raising the security bar, namely external regulation, concerns over “privacy” and the protection of corporate data along with increasing amounts of legislation still constitute a considerable challenge for many organisations. While these are matters of concern it has to be recognised that they amount to “known”, definable challenges.
These are now being supplemented by a raft of new security worries as user behaviour alters, especially around the use of mobile devices and equipment acquired outside of the standard procedures. There is also the social side of the behaviour equation.
We know from prior research that the ‘official’ use of social media is slowly taking off inside business processes. But Reg readers also tell us that the ‘unofficial’ use of social media tools is a bigger part of daily business life. With people becoming ever more cavalier about sharing information, especially younger workers who have grown up putting their life’s story on the Web, just how is the “security landscape” changing in your business?
Are there any new service areas, such as Unified Communications, instant messaging, screen sharing, Webinar services or other social media sites which you think will have a major impact on how you should treat security? Equally, do you think that they will lead to modifications in your security policies, and if so, when?
In most organisations security is still about securing computers, be they servers, desktops or laptops. But we know that the emphasis should really be on the services that users access rather than the details of the machine they sit at. So if security emphasis is still centred on computers, what about all the other stuff: services, data, information, interactions and virtual relationships?
This naturally raises the question of how to integrate security across systems where you do not have direct control. These include the use of external service providers, social cloud-based systems and collaboration solutions and even the personal devices employees use every day in their business processes. Do you still have a good idea of just what you are trying to secure?
As new threats and behaviours emerge, needing different solutions to secure systems without putting security barriers in the way of operations, it’s likely that identity management and access control systems and protection, encryption and key management tools will grow in importance. The challenge is to make them effective without generating end-user resistance and avoidance. Perhaps the real issue is a need to raise the awareness of corporate security responsibility that every member of staff has. But how realistic is this when it is difficult enough to get them to remember their password without resorting to writing it down on a post-it note?
It is clearly hard to keep so many factors in focus, especially when the business demands more from IT every day without adding in the additional skilled manpower resources to lighten the load. We would like to know if you have found workable policies, procedures and tools that let you secure the ever-expanding range of information, interactions, processes and the social networking environments commonly accessed every day.