by Jon Collins
I went to a fascinating panel session a couple of weeks ago, where I and a number of other analysts were largely witnesses to a debate around the evolving security needs of the chief information security officer, or CISO.
These were no small fry – around the table were security chiefs from a number of blue-chip companies, including leading pharmaceutical businesses and some of the better known financial institutions.
What was most interesting was the advanced thinking of the panellists – not least how their views were moving ahead of conventional, industry-led perspectives.
The pervading view was that the very basis upon which IT security is defined and procured needs to be reconsidered. Traditionally, the assumption has been that the organisation needs somehow to be protected from outside threats. While this perspective is being gently eroded over time by the industry as a whole, the panellists were of the opinion that the whole concept of an organisational boundary should be consigned to the past.
These opinions were expressed in a number of ways. One panellist, for example, described the policies surrounding remote laptop use and how they were extending the policies to computers inside the corporate environment.
“If it’s good enough for computers connecting via the internet, it’s good enough for computers connected via the LAN – why have two policies when one will do?” he said.
Other panellists talked about their suppliers and partners: if the business requirement is to enable access to corporate systems by third parties, security measures are often more of a curse than a blessing, disabling rather than enabling productivity.
While some of these themes are reflected in Freeform Dynamics’ research, there can be no doubt the thinking in this area is moving fast. Back in the mid-1990’s, the UK government cottoned on to the fact that good security is more about risk management than risk avoidance – a concept that has fed into such standards initiatives as ISO 17799.
It is only quite recently that such thinking has broadened across the wider majority of sectors, aided and abetted by the compliance wave. According to recent Freeform Dynamics research, more than 40 per cent of the 324 respondents told us their organisations were adopting a chief risk officer – this figure was in excess of 60 per cent in the financial services sector – which is quite a leap forward from a couple of years ago.
Meanwhile IT companies with a focus on security – such as CA, IBM and Symantec – are responding to the risk management question. But who’s to say that by the time the industry as a whole has caught up, the needs of end-user organisations will already have moved on?
There can be no doubt it’s time to move forward not only the security debate but also the technologies available to support these evolving business requirements.
If security is to be considered as threat prevention, solutions will invariably be in the form of threat removal. While such a model may have worked in the past, today’s organisations are looking for security to be more about business enablement and risk reduction – and this will require not only different technology combinations but also different approaches to deployment and operation. There will always be a need to counter threats – but within this broader context and not for their own sake.
These are not the views of some California-based marketing team but the realities of today’s global business landscape, as told by organisations on the front line. It would be wise to sit up and listen.