Rising to the Challenge - Information Centricity and Accountability hold the key
In this industry it's not so hard to spot the changes as they happen: what's harder is to do something about them, given what's already in place. Technology is presenting organisations large and small with new opportunities, but also creates new challenges and pressures which might be easy to fix if those in charge had the chance to start with a clean sheet of paper.
Nowhere is change having more impact than in security and risk management. When the Jericho Forum was set up in 2004, its goal was to look at the challenges faced around 'de-perimeterisation' - that is, what does security need to become when the perimeter of the organisation starts to weaken based on how people are using IT? A question which has become a self-fulfilling prophecy.
Seven years later, for many organisations the perimeter has gone completely. Cloud computing, the umbrella term we use to describe internet-based applications and services, has arrived on the technological scene at the same time as the mass market adoption of smart phones and other mobile devices, rendering any 'fortress wall' models of IT redundant. There is no boundary, and information is running free across services and devices of all kinds with all the risks that ensue.
Right now, organisations are struggling to make sense of the new, even as they continue to manage the old. If the future is about hybrid environments that make the most of both existing in-house and cloud-based facilities, accessible from any device, the challenge will only get bigger. There is also an economic imperative: the organisations that deploy the right combination of technologies, wherever they are physically, will have the competitive advantage over those who stick with more traditional models.
One things's for sure - new approaches are needed to manage the risks inherent in running such complex environments. Traditional approaches have tended to focus more on locking down technology, or restricting access to people based on pre-defined policies. Technology-centric approaches might have worked well in the old world but are inadequate by themselves to deal with such challenges as consumerisation or location-independent virtual machines.
Future approaches need to encompass two additional characteristics, the first of which is information centricity. If information of a certain kind requires a defined level of protection, then this protection still needs to apply, wherever the information happens to be. Customer data might exist in a corporate database, in a cloud-based SaaS application and across any number of devices simultaneously. If such data is deemed important, then protections need to apply across all locations. Otherwise it is like locking the door while leaving all the windows open.
This brings to a second element. In his recent talk at the Royal Society, Tim Berners-Lee commented, "We're moving away from lockdown privacy to a focus on accountability." In this age where it is difficult to predict what might be used where, the ability to keep tabs on information and how it is used becomes a crucial starting point - both to ensure that policies have been kept to from a governance standpoint, and to diagnose issues should a breach take place. From an information perspective, this boils down to knowing where data is, who has access to it and how it is being processed, wherever it may be.
Accountability also requires new ways of thinking about identity management. In the past, user names have been associated with people in certain roles. Today's highly mobile, socially networked world is yielding composite identities, from geolocated Twitter messages to multiple site logins - and the composite identity is more important than individual elements. For example, a personal account registered with a service provider may prove a better mechanism to locate a mobile device, or even wipe its content should it be lost or stolen. But the IT department would need to make the connection between the device, its whereabouts and the data stored, before a 'wipe' decision could be made.
While nobody has a monopoly on the future, it is increasingly clear that traditional, technology-centric approaches are solving only a subset of problems, while ignoring the bigger challenges. There is no room for complacency - with information still growing at an alarming rate, and with the threat of cybercrime looming larger, nobody can rest on their laurels. By moving the focus away from technology, onto information and the accountability of those accessing it, organisations will be better able to respond to challenges they face, head on.