Ray Bradbury said “Living at risk is jumping off the cliff and building your wings on the way down.”
It’s hard to imagine a better analogy for the challenges that information security faces today. Whether we want to or not, the business drive to adopt disruptive technologies and new ways of using IT – cloud, mobility, social media, consumerization, and so on – has pushed us off the cliff, and we’re building those wings as fast as we can.
I bumped into a couple of good articles recently, one by George Hulme at CSO Online on the challenges of risk management and the other by Robert Westervelt on the need to effectively communicate with senior management. Two different topics, but clearly both are highly relevant as we think about the brave new world of IT, the business, and the pressure to keep our “stuff” safe.
Senior managers – the guys and gals with the money – need to clearly understand the implications of the business choices they are making especially when it comes to the way they provide systems and services – and part of the equation has to be risk. The challenge for many security professionals is communicating the risk in terms that make sense in the boardroom.
The security industry has come a long way towards improving the communication between the often opaque world of virus signatures, zero-day attacks and packet sniffing, but we still have a way to go in terms of making the more mundane aspects of security relevant, and still further explaining to the CFO why we need even more money this year just to stop “something bad” from happening next year.
Yet, even as much progress has been made, that same progress is being threatened by a whole new raft of opportunities to change the business, redefine IT, and at the same time blow our security plans wide open. The problem isn’t that we can’t communicate the risks of things like cloud, mobility and so on. Rather, it’s that there’s still so much disagreement about what the risks might be.
Want to throw open the doors to social credentials? Want to cloud-burst our end-of-quarter processing to reduce infrastructure investment? How about letting everyone connect to our CRM system from their smartphone?
Sure. We can do all those. Want to know that the risk is… well… let me get back to you on that.
The business not only won’t wait for us, it can’t wait for us. And all this complexity now means that the things we thought we had a lid on? Yeah, the bottom just fell out on our world.
So, we’re off the edge, on our way down. And we better start learning to fly fast.
I think the most important thing we can do is learn from the past – look at what worked other times the business turned IT on its head – whether that was the Internet, client-server, the PC, or whatever your model of preference may be and learn, re-learn if necessary, how to keep security relevant as the IT world reinvents itself. Again.
The best way to prepare for the unknown, ultimately, is to at least fix what you can now. Get the basics right. Reduce the risks you can see. And get your security and risk management programs lean, mean and ready to go.
That way, when you find yourself off that cliff, you should at least have the right tools, and maybe even a spare wing or two.