Every day it seems that we have less control in the world of information security. Shadow IT rules some enterprises. Applications move to the cloud, IT’s buildings empty out, security staff are reduced to skeleton staff. While a regulatory tide rises across the world in a tower of Babel, employees and contractors in the enterprise embrace mobility by any means necessary. And the information sprawls. BYOD is touted as cost savings by some business executives.
In 2012 Gartner speaks of the nexus of forces – cloud, social, mobile, and information – yet for security staff this could be a dark place to stand like deer in the headlights. Consumerization and compliance are at loggerheads. What happens when an unstoppable force meets an irresistible object? Will it mean the end of confidentiality as we know it?
Before I get into this I must give due credit to my colleagues. What I’ve loved about working at Burton Group and now Gartner is that I stand on the shoulders of giants. This blog post was originally inspired by Bob Blakely’s posts on the the end of secrecy. And I would not even be doing this if another colleague, Eric Maiwald, hadn’t been inspired to take up Bob’s original topic as a potential 2012 Catalyst session.
So what does this perplexing notion actually mean? It can’t be that we just give up and stop data protection efforts. But it does mean that we have to change our paradigms. We should try to centralize data access with server-hosted virtual desktops and enterprise content management systems. But this can only partially hold back strong tides of data dispersion. We can monitor the flow of information with DLP. But malicious users will often evade surveillance – this in an old game of low assurance.
We can attempt some stronger techniques as I advised in my restricted zones blog entry – stop assuming that we can win the futile battle to 100% protect our endpoints and instead get more hard core about building fortresses, or secure zones, around our most critical data. Done correctly, this can reduce the magnitude of worst case consequences but still doesn’t represent a 100% compliance solution.
Yet compliance is a many-sided coin. It needn’t be achieved solely through security technologies. We can change the game by changing business processes; for example, some organizations have stopped storing credit card numbers. Our organizations can also use business process outsourcing, corporate subsidiary structures, and other business approaches to transfer risk or manage it in creative ways.
Creativity will be essential if the nexus of forces coupled with an ever-more challenging threat and regulatory landscape really brings the end of confidentiality as we know it. I recently heard the CISO of a large financial institution muse about “What we would do if all our controls still prove ineffective against the threats?” He spoke of then using business and information management techniques in the realm of espionage – counter-intelligence, deception – consciously and systematically varying the timing, audience, completeness, and accuracy of information flows, watching what happens, and adapting. This is not actionable yet – no more than a thought experiment. But could it represent the shape of things to come in the not too distant future?
Category: Uncategorized Tags: