Maksim Kabakou - Fotolia

Security Think Tank: Time for a devolution of responsibility

The belief that effective perimeter security is the best way to protect data is a fallacy that is being repeatedly exposed. We must recognise the need for a data-centric security model to protect data from both internal and external threats, but what does this mean for security professionals?

The belief that perimeter security in isolation will be sufficient to adequately protect our organisations has been flawed for a long time, and yet, despite numerous data breaches over the past few years, remains the model of choice for some IT security professionals. 

One of the reasons for this is that our attitude to information security was largely imported from how we did physical security – fences, barriers, gates, doors – perimeter-based everything.

This has led to organisations buying increasingly costly perimeter protection equipment, without increasing either their resourcing or maintenance strategies, and this in turn has led to yet more costly data breaches.

In simple terms, our adoption of technology has outpaced our understanding of and reaction to emerging threats, and consequently our ownership and management of critical risks to our information assets. 

Another factor that has exacerbated this situation has been the increasing reliance on that technology and on the IT teams to look after everything, and this has extended their remit from managing the “containers”, to managing all of the information that exists within them. This is not, and never was, effective or sustainable.

It is time for a fundamental shift – of attitude, culture and ownership.

Mike Gillespie, Advent IM

Organisations must start to be prepared to take on the issue of devolved authority and accountability. This means making business managers responsible for the information assets, from creation for safe disposal, for understanding the purpose of the asset, its sensitivity which should drive the security (confidentiality), and its consumption and exploitation requirements which will drive understanding of need for accuracy (integrity) and user access (availability).

Security strategies can then be built with the business needs and the users’ requirements in mind, starting with “knowns” rather than perceptions and assumptions.

Until then, we are effectively doing the equivalent of trusting a car salesman to pick out the right car without understanding our family situation, the sort of mileage we do or indeed the fundamental purpose for which we want the vehicle. Simply delete car salesman and insert IT supplier.

Training of both users and security teams is lacking. Bear with me on this because we are familiar with saying users need education, but actually, security people do too. They need to know how to communicate with their users and leaders for the best outcomes. Finding ways to engage the users in security will not only bring better results in terms of operational security, there will be an overall raising of the positive profile of security as a result, and users supporting security to allow those professionals to become the expert advisors they are supposed to be.

Read more from Computer Weekly’s Security Think Tank about the need to move away from perimeter security

Read more on IT risk management

Data Center
Data Management