Wednesday, July 31, 2013

Changing face of Security in an increasingly Collaboration oriented world

While I agree the title is a handfull, there is much behind this topic. It recognises that Deperimeterisation is more than just an IT Security phenomena, and much more about the increasing business need for collaboration, both with other partners and also with customers. Innovation is increasingly externally powered. Organisations that try and survive inside their silo, peeking out to sell their shiny new product or service will find that the world has changed significantly, since they last peeked!

This new business frame requires a complete RETHINK of Information Security, moving to incorporate the enablement and assurance of Positive Value, by replacing security tools designed solely to protect / control / stop / monitor ; with a new breed of tools designed to ensure, promote, enable, and prove.  Imagine SMART DATA that not only did not allow the inappropriate entity from accessing it, but actively seeked out an appropriate entity, and reported when it had found one.

In short, the discipline of Information Security will take off its peaked cap, put down its STOP sign , and actively engage in understanding and ensuring that Business Goals and Business Rules are met.

From Security = Bolt On Braking Device

To Security = Built In Hybrid Motor that acts as both Engine and Brake!

Perhaps we will need to change our functions name to Information Asset Management?
Which by identifying the Opportunities and Risks associated with information assets under an enterprises control, can maximise the value of said Assets, reduce the potential for threats or losses, while ensuring real time compliance. The toolset will be completely different!

Like moving from the old world of Photography which required the creation of a "Negative" in order to then create the final Image (Which always involved loss of Quality!)
To the modern world which involves sensors directly capturing the positive image.

When InfoSec teams change their primary goal from one that involves disabling inappropriate access to one that ensures appropriate access, the outcomes will undoubtedly be more positive.

Perhaps the harder question is: How do we get the Infosec tool creators to re-tool! They like selling using Fear, Uncertainty and Doubt! It is so much easier for them. Worse, building security in will be very hard, especially as the first question is: WHAT ARE THE BUSINESS RULES?

In most organisations they are Implicit, Assumed, or worse in the heads of just a few folks who think that keeping them to themselves gives them power! But that is a whole other post.