Information security is supposed to be a business enabler. Information security is supposed to be a business issue, not a technology one.
What this means is that, by ensuring the availability, confidentiality and integrity of information, organizations should be able to improve their effectiveness and enable themselves to use today’s electronic and communications media more competitively.
So far, so clear.
We all know that the electronic world is full of dishonest and nasty people, people whose idea of fun is creating and despatching worms, Trojans, viruses and assorted adware and spyware; we know that stealing data has become more than just a cottage industry; and we know that organizations must take steps to combat today’s mutating threats by implementing multi-layered vulnerability protection strategies.
In responding to the threats, many organizations have lost sight of the idea of ‘enablement’. Defences have been erected and are continuously ratcheted up in response to new threats, and as new technology becomes available.
But nobody bothers talking to the users, the people who are meant to be ‘enabled’ through the use of technology, the people at the business coalface, who are dealing every day with the changing competitive pressures and opportunities of commercial survival in the 21st Century. If they did, they would discover that users are becoming more and more inventive at finding ways of bypassing these controls – while it seems barmy to have go home, use your personal computer to surf the net to find the information that you want, download it to a USB stick, take your USB stick to work and then upload the information to your computer, this is what more and more people are doing – because it’s the only way left for them to get the information they need to actually do their jobs!
Of course, the organization is just as exposed to what may be residing on the site from which that determined employee downloaded the data – but they’re unlikely to have appropriate defences in place. Sooner or later, they’ll make the necessary investment to close off this loophole – and the workers will have to come up with a new way to get round the technology in order to get on with their jobs.
There is an alternative, far less expensive, far more business-focused, option: businesses could decide that business management – not the IT department – should determine what controls are appropriate – and the good news is that the number of organizations who take that approach is growing (just look at the growing number of BS7799 certified organizations) and, sooner or later, those that stick with the technology-age version of ostrich behaviour will go out of business.
It’s quite frustrating waiting for that to happen, though!