Some thoughts on information technology security
I think most of us are aware of the high profile corporate network security breaches that have occurred this year. It seems like every couple of years we experience a wave of security events, quite a bit of activity occurs leading to some nominal changes.
You may think I use the word nominal very casually, however recently I took a look back to see how far security has come in the last 20 years and stand by my use of the word nominal.
Why 20 years? It was about 20 years ago when the first commercially available firewall was introduced by Digital Equipment Corporation. Security in the form of authentication and access controls were widely used prior to the firewall, however security was considered to be primarily a system level function.
By today’s standards the DEC firewall was quaint, however conceptually and architecturally it represented a major change in how we thought about securing an Enterprise.
The industry has evolved since then and while technology has advanced, comprehensive information security is far more extensive than the conventional wisdom of relying on technology based solutions such as firewalls, anti-virus and perhaps monitoring.
Information security is something that needs to be inherent in all business functions and processes. From an information technology risk view, this includes the information itself and the software that accesses the information.
But it doesn’t stop there.
Recently I was involved in an online discussion thread about the potential of outsourcing security. The discussion had a pro-outsource tone to it, though one person did mention the governance of security is critical. His point is particularly interesting as many companies do not incorporate security metrics into their SLA agreements and if they do, they are overly simplistic and not easily governed.
But let’s say a company decides to in-source security and deploys all the right technology, best practices and have incorporated security into their software life-cycle management. I can think of quite a few firms who have put the right level of focus on securing their infrastructure.
Yet when Epsilon announced their security breach, some of these same firms were sending apologetic e-mails to their customers since Epsilon managed parts or all of their customer databases, thereby potentially exposing sensitive information.
The fact is any company that outsources a business or technology function has also outsourced the security of that function along with all information that is processed as part of that function.
Going back to my statement around nominal changes, we are not seeing the type of IT risk governance amongst internal systems and business partners that is needed in today’s hyper-connected world.
Yes, IT security still matters, but just as we did 20 years ago, we need to change our approach by adapting a more holistic approach. An approach that implements a more comprehensive IT Risk management, including software quality assurance (both internal and externally developed), identification, assessing and controlling IT failure events, etc. Most of all, companies must embrace the concept that any work done internally or with a 3rd party needs to incorporate risk governance that is appropriately correlated with the impact of a security event to your business.
Always interested in hearing your thoughts.