Infosec retrospective: time to rejoin the mothership?

What an interesting Infosec! I was asked at the end of this year’s conference, what I’d seen as ‘hot’ topics, and I had to confess that there was nothing that really stood out from a technology perspective. To me it was more of the same – disk encryption, log management, data leakage protection and the like were all interesting, but to be fair they were works in progress as opposed to anything ‘new and improved’.

But bear with me here. This does not mean to say that everything is staying the same. Rather, what marked the conference for me was how its context was changing, from two perspectives: first, the technology landscape within which IT security sits, and second, the way that IT security is evolving in itself and to meet the maturing needs of its customers.

Let’s think first about the technology landscape. Despite the financial turmoil faced by organisations across the world, this is a very exciting time to be in IT. Social networking and collaboration, unified communications and VoIP, software as a service and cloud computing, the explosion in user-generated content, text, graphics, audio and video, the arrival of virtualisation as a mainstream technology, all are having disruptive effects on how IT is being considered and used.

In security terms however (there is always a ’however’, in security terms), we are hearing that may organisations are considering, and even adopting such technologies without necessarily putting the checks and balances in place. In Tuesday’s panel session on virtualisation and security, for example, one attendee described how he was trying to slow down the operations teams, as they were seeing clear financial benefits to server virtualisation and therefore wanted to adopt it as quickly as possible; however they were not taking into account the associated security risks and dealing with them accordingly (there’s a good checklist of pointers from Steve Moyle of Secerno here, if you are interested).

We expect to see similar challenges in adoption of cloud computing technologies, social networking and the like – indeed, there are plenty of examples already of organisations being caught short due to data leaks through social sites, for example, or falling foul of compliance law through inappropriate adoption of SaaS. Conclusion: while IT security may not be centre-stage at the moment relative to all these new trends, it doesn’t take a rocket scientist to predict that this time next year, it will be security professionals that are handed the broom and left to clear up the pieces.

All the same I don’t think they will be alone, given the second perspective: that is, how IT security is evolving. This time last year I commented how interesting it was that there were a number of non-traditional-security vendors present – Google, F5 and the like. We’ve seen more of that this year, as (for example) a larger number of log management companies have joined the fray. It’s a small symptom of technical cross-over into new domains, such as application management and IT operations.

This development is clearly accelerating, judging by a number of the conversations I had with a number of vendors and end-user organisations across the three days. There was plenty of talk about ‘policy’, ‘risk’, ‘governance’ and the like – but not just (as previous years) in passing. Rather, there was a general recognition that, for security to succeed, it needed to be integrated with other IT and business management disciplines. This message came through loud and clear for example in the second panel session I hosted, on data integrity – all panellists were unanimous that data integrity could not exist in isolation of data quality, for which there already exists an ISO standard (ISO 8000).

From my perspective, this is a very welcome development – not least because security is never as effective as it could be if it is being considered as a silo. If I had a hot dinner for every time I have said words to the effect of, ‘the only risks that matter in business are business risks’ – but we all know how hard if can be to engage a disinterested business audience and extract out of then exactly what those risks are, never mind get any funding to mitigate them. So it is surely a healthy thing that we should think about information risk at the same time as information management, insider threat at the same time as business process management and collaboration management, and so on?

Well, yes, but with a caveat. What we’re talking about here is a significant change not only in how security is considered, but also who is doing the considering. With the best will in the world (and through no fault of their own) many security professionals have been focused more on the technical aspects of security rather than such broad topics as information governance or business risk. Meanwhile, there are plenty of more business-oriented specialists who lack the detail in terms of what security technologies can bring to the party. For a successful evolution, it will be necessary to bring down the Chinese wall between security as a technical discipline and governance as a business discipline.

Where to start? This is not something that can be resolved with a game of football between the two sides, as the issue is more one of differing language than any lack of desire to communicate. Ultimately, for security to be successful it needs to be treated as an inherent part of an organisation’s governance processes – we can look at HSBC’s bold decision to integrate their IT security team into their business fraud unit, for example.

If governance is the ‘what’, security is at least one part of the ‘how’. But for integration to be successful, it will require all sides to face the fact that it is only by starting with the ‘what’ that we can succeed. IT security has existed for too long as an end in itself, an isolated satellite leading an independent existence, largely due to a lack of understanding about where it should fit. For IT security, it is time for it to rejoin the mother ship.