Simply put, the threats of today are larger than any one vendor, meaning that the isolation of security technology must become a thing of the past.
Data security has never been as hard as it is today. And it is going to get harder. Why? Because it is becoming more embedded in everything we do; and because we, not technology, hold the key to the future.
The protective walls of the corporation came tumbling down a long time ago. This is not about erosion – they are already gone. Target, Wendy’s, Playstation, all have suffered massive losses of customer data. Utilities, banks, public institutions have been compromised, and will continue to be so.
Not only are a significant number of computer systems connected to, or indeed, run from the internet, but also the ways we access corporate data have fragmented beyond recognition. Within the past decade, mobile devices have gone from being exceptional to the norm. And millions of potentially insecure devices are now being connected, in the guise of the Internet of Things.
So, is all lost? Not necessarily. There is still a place for a robust security architecture, built on the principle of the ’separation of concerns’ — that is, limiting risk by considering how and where business data needs to flow, and putting appropriate safeguards in place. Indeed, I wrote a book about it.
We can talk about technical features and governance mechanisms to be built into such an architecture, as is good and proper. But data security is never, ever going to work without taking on board the most important, yet least predictable variable in the triumvirate of people, process and technology — the people.
In technology industry parlance, the term ‘consumerisation’ has been used to describe our increasing propensity to use our own tech in the workplace. But the principle goes much deeper. Consider, for example, how people expect to take their phone number with them when they move companies.
In general, employees will follow the rules, particularly if their contract says they have to. Acceptable Use Policies are a useful tool against direct abuses of computer systems, software and services. But you don’t need to be a behavioural psychologist to know that people hate to be told what to do if it appears pointless or indeed, counterproductive.
This goes right to the top. Gone are the days when senior executives expected their emails to be printed out for them, so they could dictate a response. Today, they are as tech-enabled as the rest of us, and expect to make full use of what is available — even if it means using their own devices, due to perceived inadequacies of corporate IT.
Is there an answer? Well, yes there is, but it requires looking way beyond current environments and towards the workplaces, and work forces, of the future. Not only are people becoming more tech-savvy, they are also more transient. Companies hire less and subcontract more. Where once they built, today they partner. And offices are replacing cubes with collaborative spaces.
This brave new world of work is built upon a spirit of trust and collaboration, with smarter organisations drawing on the broadest pool of stakeholders — co-creating with customers, suppliers and even competitors. While this approach puts people first, it nonetheless requires boundaries to be set and enforced — but without getting in the way.
Agility is key to the future, in data security as in business. For security to succeed in such a flexible environment, it needs to consider the role of data as an enabler to collaboration, as well as offering service provisioning mechanisms that are considerably more straightforward than today.
If you create an environment which hinders, rather than help people to deliver on the needs of the business, you will increase, not decrease strategic business risk. While this creates a dilemma for any security professional, that does not make it wrong. As organisations evolve over the next decade, we shall see this point proven again and again.
For more content like this, follow Samsung Business on Insights, Twitter, LinkedIn , YouTube and SlideShare.
There’s a reason security consistently appears on IT buyers’ lists of priorities and concerns. We looked last week at some of the biggest cloud and IT disasters of 2013, and this week Networkworld.com weighed in on the worst security SNAFUS of 2013.
Now comes news, first reported by Krebs on Security, of what is believed to be a massive data theft that may have spanned the majority of Target stores from Black Friday through December 15th. The breach was executed by software placed on credit card authorization terminals within the stores and is being investigated by the Secret Service.
Networkworld named Eric Snowden’s data theft and leaks from the National Security Agency the “Biggest Security SNAFU” of the year. That disaster involved not only the security failure due to the agency’s lax internal controls, but ongoing questions about the massive surveillance that Snowden exposed.
The theft of personal information that puts customers at financial risk is one of the most public security breaches that organizations face, and it continues to be a problem. But the exposure of private healthcare information is a rising concern as well. Issues over security of the Healthcare.gov site, which doesn’t actually encompass personal health information at all, probably should have made Networkworld’s list of security SNAFUs, though somehow it didn’t. Still, health data breaches by WellPoint, Cogent Healthcare and New York State’s Office of the Medicaid Inspector General are among those recounted.
Not only is the range of reported data breaches vast—ranging from private texts and home webcam streams exposed to espionage by foreign governments—but so is the variety of vulnerabilities exploited. Breaches ranged from the highest of high-tech software attacks to lost mobile devices, to the improper dumping of paper files in outdoor dumpsters.
The takeaway is that security failures continue to be all too common. A wide array of data types is vulnerable. Long-recognized vulnerabilities continue to be exploited. While one doesn’t want to conclude that failures are inevitable, organizations don’t want to be caught compromising on security procedures, protocols and protection.