Information Technology isn’t what it used to be, is it? At one point we were focused on a relatively fixed set of infrastructure and software- mainframe computers, mid-range computers, servers, desktops and laptops with their accompanying software. Over time we also became very familiar with the implications of the tablet and mobile phone in IT and accepted that as part of the infrastructure as well. Software also metamorphosed through different delivery methods like cloud, and we became accustomed to the design implications of creating cloud infrastructure. Let’s not forget of course the network. In the early days we went from simple connectivity devices like modems and then transitioned to bridges, routers and switches– the list goes on. We became familiar with wide-area, metropolitan-area and local-area network designs and became experts in those designs. That too became part of the information technology purview.
We’ve come a long way, and so have the underlying security infrastructures and services supporting that journey, from firewalls and advanced threat management tools to different software programs to address prevention, detection, response, access and data protection, among other concerns. The nature of threat itself fostered different approaches to those areas as we evolved ever-more advanced techniques in trying to protect our underlying information technology foundations. In the midst of all of this technology, we also had to develop an organization that could architect, design, deploy, manage and operate this environment, from beginning to end. That leads us to now.
We’re all now living through another inflection point, similar to the one we had to address when the Web, mobile and cloud solutions came into our lives. That inflection point is typified by an awareness of yet smaller and more varied technologies, connected to familiar and unfamiliar networks, generating and using data on a scale like we’ve not seen. From a security perspective, we’ve already seen that this new inflection point is not completely familiar to IT, though it is familiar to most in operational technology, or OT. We only know we need to address any differences this new inflection point represents to our security strategy. It begins with the security organization.
Organizations that find themselves increasingly drawn into fulfilling the security needs of OT assets and of the Internet of Things (IoT) must consider some basics.
– The nature of the security organization itself: Just as IT evolved to address the changes I described, it will need to make some new changes. We already know one size does not fit all, and this will especially be true for this inflection. We will be drawn into more of a coordinating role for new and additional providers of security service and abilities, even the large IT security organizations. This is because there is a limit to the security knowledge you will want to learn about the myriad types of devices and systems that will come under your purview to be protected. Building a specialized security team with the skills and experience to address such choice will become increasingly difficult. You already became familiar with the concept when you embraced mobile and cloud responsibilities– it will grow dramatically in this new world. Consider the very nature of your security organization and how much will even be ‘yours’ in the future, depending upon how much of this world you embrace;
– The reporting hierarchy: IT security has traditionally reported to the CIO in many if not most organizations, primarily because the mission of Chief Information Security Officers has been protecting information. That mission does not change, but how that information is used and whether information protection is the ultimate outcome for the CISO will now be a question for some of you. While the confidentiality, integrity and availability of data is a core mission of IT security, OT and IoT systems and devices now introduce you to the world of the physical. These systems and devices have the means to report at levels that are now the purview of engineers, physical security specialists or the ‘industrial’ people, not IT security specialists. Information security may now be just an intermediate step to the outcome. The new mission may be keeping people or physical environments safe. Protecting the physical, engineering or industrial outcome isn’t a new mission in and of itself, just a new mission where IT security becomes involved due to the technology, software and connectivity needed by these non-IT-like systems. While there is no reason to force reporting lines for engineers and physical security to be part of the IT security organization, it is important that the nature of the IT, OT and physical security relationship change to better align architecture, strategy and planning of security. After all, if devices that can change the physical world become increasingly digital and use software and networks, IT security will asked to be part of that world whether you wish to be or not;
– Risk, Reliance and Regulation: With the interconnections I have described, the nature of calculating risk must change. Isolating risk calculations and creating silos (e.g. IT risk) to manage risk within that silo will not capture the impact of threats and hazards in other environments, like the physical or the engineered. Regulations for safety will now be part of regulations for cybersecurity if the means by which systems are made safe use digital, connected technologies. The concept of system assurance, making systems of systems resilient enough even though they grow in complexity and interconnections is now a role of cybersecurity specialists. I call them digital security specialists to capture the holistic needs of risk across the silos and traditional separations in organizations, because I believe that the digital platforms we will need across logical and physical systems will need a common approach to security.
It is time for the new digital security organization. Are you ready?