IT Security is, at its core, just another kind of risk management. The principles are straightforward to explain – identify the risks, their probability and impact, then work out suitable mitigation strategies to reduce one or the other.
So, how hard can it be to 'deliver' IT security - that is, to make an organisation's IT environment secure? Very hard, is the answer, when we consider just how far technology has come since such principles were first documented. The main challenge can be to identify the risks in the first place, against a background of constant evolution and sudden change.
And it's not going to get any easier given that threats come from an increasing variety of places. Let's summarise - mobile devices and networks; cloud-based applications, services and infrastructure; social networks and online collaboration tools; email and documents; virtualised infrastructure and applications; and last but not least, a rich legacy of computer systems and software. Simply looking at such a list illustrates how complex the problem has become.
So, what to do? Traditional IT has tended towards a ‘divide and conquer’ approach, that is, break each complex system down into simpler subsystems and deal with that. The trouble is, all of the above are converging: IT is no longer in a traditional, modular state in which any one thing can be treated individually. The result is enough to scare off even the most hardy of security professionals.
If the future is hybrid however, then security needs to work in the same way – considering risks horizontally across the entire (yes, you read that right) landscape of technology, rather than vertically addressing each specific element at a time. Many organisations we talk to are moving from risk avoidance to a state of risk acceptance, in which IT risk and business risk are considered together and moving from a "lock-it-away" stance to one which is more about enablement and mitigation.
It could be, however, that organisations (or, more importantly, the people working for them) are still not taking things far enough. We can talk about "treating security architecturally" or "increasing the authority of the CSO" but both imply somebody else takes responsibility (at whatever level). If risk exists across the entire, dynamically changing ecosystem, so is it the responsibility of everybody to appraise the totality of risk, assess its impact and make appropriate mitigation decisions.
This takes things one step further than another, familiar mantra often requested of employees – ‘being vigilant’. Vigilance implies constantly peering around the corner when walking through a dodgy neighbourhood, in case bad things are about to happen. With awareness training, people can be vigilant about IT for a short while, but may eventually revert to complacency if they do not fully buy into the core idea that security is everybody's problem.
The required state of personal awareness bears more of a comparison with driving, another potentially high-risk activity. Running a company in a risk-aware fashion is not that different to driving a car through an unfamiliar landscape. Neither, to the point, is working for one. IT security is, now and forever, the responsibility of everybody, from top to bottom.
As technology becomes more and more embedded into human existence, we will eventually stop thinking about it as ‘over there’. From a security perspective there is nothing stopping us all adopting such a position straight away, avoiding exposing our businesses and ourselves to unnecessary risks.
Whether we like it or not, we are all drivers now.