IT security needs a new metaphor

It is no longer fashionable to regard security as a fortress to keep people out. The new analogy is an airport, where anyone can enter, but access to different areas is then strictly policed by a series of checks and controls. John Stewart of Signify, an IT security consultancy, outlined five areas of IT security when he spoke to IT directors at September's BCS Elite Conference. The role of the immigration officers, inspecting credentials and deciding who is allowed in, is played by firewalls. Identity management is the passport office, which issues and verifies those credentials. Content security equates to the x-ray machines used to check luggage; encryption is the diplomatic bag that ensures confidential documents are not snooped on; and intrusion detection is the CCTV that monitors all activity and spots threats. Although simplistic, this kind of analogy is ideal for communicating ideas about security, especially to business managers, for whom it is a turn-off topic on the wrong side of the balance sheet. Take virus and worm protection. Having persuaded managers to invest in e-mail protection, we need more than just technical arguments to win the cash needed to tackle future threats of, say, malicious code seeping through web browsers when XML applications hit the desktops. IT directors and managers will increasingly need to learn how to shape their arguments to address business fears: damage to reputation, loss of current or future business, and court action. The finance sector, now under intense regulatory pressure to measure operational risk, is setting the pace. What it does now will eventually affect all sectors. Now is the time to start preparing those metaphors and analogies. IT security managers are rethinking their approaches to security in large organisations and re-evaluating upcoming threats.