The rapid transformation in how and where society uses information has one overarching outcome: it ends the era of compartmentalized, bolt-on information security. Today we largely compartmentalize data recovery, backup, and redundancy into one bucket. We put end user support in another bucket. We put security in yet another bucket or, worse, end-user security in one bucket and data center security in another.
This cannot continue. Unless you take a holistic, systems-oriented view of your information system, you’re inviting failure. The compartmentalized approach isn’t sufficiently agile enough to adapt to today’s asymmetric, globally distributed use of information, and will eventually break. This butterfly effect means that even small changes in your network can have a disruptive impact on security.
For example, an increasingly common practice today is to encourage employees to network with customers and partners using social networking sites. This activity often takes place over the organization’s internal network. Unless you’ve thought it through holistically, you have no idea what the consequences might be. You could end up with a real storm in an unexpected area of your network, simply because you allowed access to social networking.
The pace of change continues to accelerate and, with it, so does the evolution of threats. We live in an era where it’s not only possible, but easy, for anyone with an axe to grind to make off with entire libraries of information and, minutes later, share their haul with the entire planet.
A few years ago, it would have required a crew from “Mission Impossible” to make off with millions of U.S. Armed Forces or State Department documents. But as the WikiLeaks incident proves, today it requires only a logon and some portable rewritable storage.
The key to deflecting this risk is to understand that IT security is no longer a technology or people problem. It is an information problem as well. Take a holistic view of your information system. Encrypt your information at rest and in motion. Monitor its use. Respond to anomalies. Update your policies (including how you authenticate). And enforce your procedures.