Predicting the future of any technology is a challenge, and IT is no exception. The history of computing is littered with attempts to imagine how things might look in the future, and the only characteristic these predictions tend to share is an innate level of inaccuracy.
However, if you want to develop an IT security strategy, you must take a stab at predicting how the industry might change over the years. Some trends are relatively easy to predict - the widespread use of mobile technologies, for instance, or the rise of virtualisation.
Security balancing act
For security professionals, every big, new thing brings with it a raft of big, new risks. Gone forever are the days when security was discussed in terms of offline storage. The IT environments of today are always on and always connected.
The result of this is a balancing act for security professionals. Often, organisations will choose to risk potential dangers rather than batten down the security hatches and constrain the business as a result.
An example of a technology with security implications is the USB stick, which these days has the capacity to haul off a huge amount of corporate data.
One CIO told Computer Weekly that when his security department conducted a USB port scan it found more than 600 different types of USB storage attached to corporate desktops. Blocking access to these, however, would restrict the flow of data, as well as being an administrative nightmare.
Although organisations may choose to accept the risks of many technologies, this does not necessarily mean that they are reducing administration. In many cases, companies are finding themselves restricted by a lack of security.
According to a study by Freeform Dynamics, firms are limiting their adoption of business-beneficial approaches such as teleworking and workforce mobility because they are concerned about the associated security risks.
So, the absence of clear policy about how risks are being countered is actually holding companies back. Additionally, security breaches are increasingly being treated as business governance failures, not just IT failures.
There are several things an organisation can do, none of which are specifically to do with technology. These include defining responsibility for security challenges, delivering policies that can change with time, and creating procedures for monitoring security practices.
Most importantly, IT security needs to be treated seriously at board level. Lack of security is an inhibitor to business growth. A business-led, co-ordinated approach to IT security need not be difficult to implement if it is pitched at the right level and for the right reasons.