IT Security: From A Fortress To A Hotel
Hack and breach codes. Fiber optic cables blinking a million times a second. Ultrabooks with connections quicker than the blink of an eye. Sure, these thing exist – in Hollywood. But for the world of enterprise IT security, the focus isn’t on the ‘Need For Speed’ or cracking ‘Mission Impossible’. In fact, for a growing number of CIOs and IT Heads, security has become a balancing act of managing, people, technology and the organisation.
In a recent MeetTheBoss roundtable on IT security, Matthew Oakley, Head of Group IT at British multinational asset management firm Schroders, discussed the often-misinterpreted element of ‘risk’ that pervades everyday life for IT security professionals. Misinterpreted because, for a long time, the panacea goal of eliminating IT risk in its entirety has pervaded the arena. Instead, Matthew offered, trying to reach that panacea was futile, as “…our daily lives don’t even function on that basis”.
Instead, with the emergent understanding of enterprise mobility, the cloud and a broader influx of entrance points into an enterprise’s network, Matthew offered a rather astute analogy.
“We need to take a look at ourselves here. IT sitting like King Kanut telling the waves not to come in is an idiotic place to be,” he offered. “We’ve got to teach our business and users about real risk. For IT to lock everything down just makes our users sneaky. It means they’re trying to work out how to get around our controls,” he explained.
“IT departments have traditionally tried to build a fortress – and we need to start building like a hotel. Instead of all of the security being on the front door, let’s put better security on the bedrooms and allow ourselves to know that the lobby and public spaces are ‘semi-guarded’ areas.
“You’ll wonder around, and if you see someone trying to steal the light-fittings, you’ll probably catch them,” he continued. “But you have to presume that it’s a semi-public space. That’s a much better and safer starting point. From there, you begin to manage human behaviour through training and education, and let people see how it’s appropriate to behave in the lobby.”
Matthew’s analogy serves to highlight a number of points often misplaced when it comes to IT security – beginning with control and ending with education. For the former, merely placing restrictive policies and telling users what they’re not allowed to do makes them “sneakier”.
To paraphrase another point raised, we teach our children how to cross the road carefully – we don’t build walls to stop them crossing at all. Why shouldn’t the same apply when the road becomes a mobile device or remote storage service?
Indeed, it’s fear of losing control that’s misaligning the needs of the user with those of the business. Instead, IT security should be looking to find a way to adopt its enterprise’s existing organisational framework to engage and involve its users. Regardless of how restrictive your controls are, what happens when the lights go out? The glow of smartphone screens will continue to light the way.
With that in mind, it has to be the job of IT security heads and CIOs – at the very least – to introduce the need for better education and training in a bid to help manage human behaviour and reap the benefits of setting enterprise security in the proverbial hotel and out of it’s medieval fortress. Easier said than done. Why?
Because as it currently stands – as Matthew went on to underline – it’s not solely a need to educated and manage human behaviour within the enterprise that needs to prevail here. To induce any notable change, external auditors and regulators need to be the ones providing the elixir. Without that, the hotel remains condemned.
So what does the horizon look like for IT security today? As other roundtable attendees offered, the most applicable view of risk management has to, as it always has been, remain focused on the organisation, it’s people and the break-neck speed of technology. Fine-tuning that balance will play the most important role in producing a blueprint for Matthew’s hotel – but until that exists in full, dismantling the fortress is the best on offer. It’s either that or a sub-standard motel.
To register for a MeetTheBoss roundtable, click here.
Topics:
IT,
Adam has interviewed over 450 chief executives from Adidas to Zappos. He has spoken on communication, leadership, and innovation at several major conferences, for organisations as diverse as CA and CeBIT, and is Master of Ceremonies for a number of brilliant business events.