Do you trust people? Who? And why? What makes you confident you can depend on them?
Searching questions, perhaps, but ones everyone involved in IT security is going to have to answer pretty soon.
The fact is that CIOs have less control than they used to – not just of the IT systems their organisations use but of the data they contain.
Take consumerisation – the increasing use of employees’ own devices in the workplace – for example. As it develops, IT managers will have less control of the platforms to which they deliver applications and services.
Or cloud services. To use them, IT managers have to put their organisations’ data in others’ hands.
To add to the problem, there’s the increasing use of closed operating systems, like iOS, that provide security on a ‘take it or leave it’ basis.
And the widespread adoption of social networking. Now it’s built into applications like salesforce.com, it’s getting very hard to limit who can send or say what to whom.
But before you panic, remember this: there never was a golden age when you had complete control. Even when you owned all your organisation’s computers and controlled all its data, you had to trust all sorts of individuals and organisations. Hardware and software vendors. Communication service providers. Outsourcers and other business partners. Suppliers. Governments – they have rights of access, after all. And your fellow employees – the people who work in the organisations it’s your job to protect.
All we’re seeing now is a move to the next stage.
The IT business is maturing – fast.
There are far fewer opportunities to profit by doing things yourself. Consumer platforms are hard to beat. Cloud service providers achieve economies of scale their customers stand no chance of matching in house.
And the fact that you no longer have to deal with every aspect of security at every level is a good thing. If the people in and around your organisation can be trusted to do the right things, you can delegate responsibility to them. And if you can do that, you’ll get more time to focus on what matters most to your CEO – on helping your organisation apply information and communication technologies in ways that give it competitive edge.
So what about that first if? Now you need more trust, how can you build it at the ‘volume’ you need?
The answer is to focus on people and processes.
Starting with your workforce, you’ll need higher levels of security literacy than you may have got away with in the past. People will encounter new situations – situations that aren’t covered by standard rules and solutions. And when that happens, it will be their general understanding of how to work securely you’ll depend on – not their ability to follow rules.
Moving on to outsiders, it’s the way you outsource responsibility that makes the difference. And given there are few organisations that do absolutely everything themselves, there’s a wealth of standard tools you can use to do outsourcing properly and protect your organisation against risks. Consider contracts, governance frameworks, due diligence procedures and insurance policies, for example.
So don’t let the illusion that you’re in control today stop you taking advantage of the great innovations the IT business is coming up with. Don’t freak out when the time comes to delegate responsibility to someone else. Just make sure your people are ready, willing and able and the way you outsource responsibility is in great shape.
By The BT Security Think Tank
Members of BT Security Think Tank include Ray Stanton (Executive Global Head of Business Continuity, Security and Governance), Bruce Schneier (Chief Security Technology Officer), Peter Scott (Director EUT, BT Security), Martin Brown (General Manager, Security Technology & Strategy), Steve Benton (BT Security – Head of Business Operations), Jim Tiller (VP – Operations and General Manager, BT US & Canada) and Theo Dimitrakos (Head of Security Architectures Research, BT Innovate & Design).