We talk a lot about new technology, but there are few times when technology really tears up an organisation's rulebook - but that is what the "cloud" and the iPad have done, writes Matthew Lord, CISSP. These technologies have entered our organisations, bypassing traditional operational and risk processes, and typically from the top down.
For two good examples of this, let us take a fictitious company where a senior executive arrives back from holiday with his new iPad wanting his corporate e-mail up and running on it the same day - because his peers have it, and as someone who makes risky decisions every day, he does not consider e-mail on an iPad to be that risky - and a fresh faced graduate developer looking to please his boss by using his credit card to purchase a cloud-based hosting platform.
These two examples illustrate something of a time bomb for the security profession. We have become comfortable that people would listen to us in a meeting because to ignore our advice meant being hacked. However, being "hacked" became like catching H1N1, better know as the deadly bird flu. Like any seasonal flu, the infectious season soon passed and people began to question the true likelihood of being "hacked". Lucky for us in the profession, another security "flu" came along, this time in the guise of regulation. Again no one wanted to be the test case for this year's deadly flu.
So what is the real parallel between H1N1, an iPad and the cloud? For me, it is the fact that their presence was so disruptive that they forced everyone to tear up the rule book. Our traditional risk management and operational processes failed. Further, the latest two flu outbreaks did not really result in a pandemic, encouraging many to question whether they really needed that flu jab? Equally, people could ask whether the iPad resulted in a corporate's downfall and has an unauthorised cloud account caused any issues - ok the latter has happened. But the common feature is that our traditional boiler plate security processes and "scareware" are only useful for so long before this approach becomes unstuck. This problem is also exasperated when the pace of technology change goes into overdrive or people just do not approach you because your processes are too slow to react - this is what we have seen with the iPad and the cloud entering corporates.
So what do security professionals need to do? They need to begin to think like the CEO; making more nimble risk-based decisions in a fast-paced technology world. These decisions need to weigh up the true security risks versus the business rewards new technology brings to a company. However, the real step-change is to stop using today's security "flu" as a reason to block a project, and instead educate our businesses on the true risks of using new technology. If we all take this approach, the security professional will become more valued and the CEO will consult us rather than bypass us by. And the young developer may even tell you when he is using the cloud.
Matthew Lord, CISSP, is chief information security officer at Steria.
Photo by Jupiterimages/Thinkstock
This was first published in June 2011