We can blame networking. IT security was never simple, even when computers were largely stand-alone machines connected to banks of green-screened terminals. However interfaces between systems were generally inaccessible to all but operations staff.
It was when we started to allow outside connections that things stepped up a level in terms of risks. First dial-in connections, then local area networking meant that access was available to anyone who had appropriate communications tools.
It was around this time that security professionals invented the term 'defence in depth'. The idea was that security existed as circles within circles, each layer protected at the boundary by appropriate technology.
Then the Internet came along and changed everything again. Without going through the entire history of the past two decades, we're now at a point where data can be in any one of several places – on corporate systems, on computers in home offices, on smart phones or in the cloud.
It doesn’t’ take a rocket scientist to know that defence in depth approaches are no longer valid. While data centres still require a level of cladding (nobody is suggesting a free-for-all), there can be as much data existing outside of the corporate environment as within it. And trying to apply levels of draconian control across devices is a scenario King Canute would have been familiar with.
The good news is, we have other ways of thinking about how we use technology. At Symantec, our philosophy is to centre on the information– and rather than expecting corporate data to stay in the places which have traditionally been protected, to put protection where the data is today.
Equally important are the people accessing this information, and the services they use in their daily jobs. Again, it is a case of moving the protection to where the risks are. The challenge is how to do this without disrupting use - otherwise users will simply work out another way of getting things done. On the flip side, the simpler and more transparent you can make things, the better people will be protected against the risks.
This is precisely the approach we're building into our new O3 platform. On the surface, O3 is described as 'security for the cloud' but underlying the architecture are the joint principles of moving security to where the risks are, but without compromising use. Rather than defence in depth which puts barriers in the way of access, O3 is follows more of a defence in breadth philosophy, responding to the issues in the places information, people and services are likely to be.
Changing a security philosophy is going to be like turning a tanker around, particularly for IT departments that are used to the command-and-control approaches linked to defense in depth. Most people I speak to are already well aware of the challenges, both for themselves and for their organisations.
What’s pretty clear, however, is that we can’t just carry on the way things used to be. Security professionals are at the start of a journey, going to places that we might prefer to avoid. But there is no turning back.