Security Think Tank: Time for a devolution of responsibility

The belief that perimeter security in isolation will be sufficient to adequately protect our organisations has been flawed for a long time, and yet, despite numerous data breaches over the past few years, remains the model of choice for some IT security professionals. 

One of the reasons for this is that our attitude to information security was largely imported from how we did physical security – fences, barriers, gates, doors – perimeter-based everything.

This has led to organisations buying increasingly costly perimeter protection equipment, without increasing either their resourcing or maintenance strategies, and this in turn has led to yet more costly data breaches.

In simple terms, our adoption of technology has outpaced our understanding of and reaction to emerging threats, and consequently our ownership and management of critical risks to our information assets. 

Another factor that has exacerbated this situation has been the increasing reliance on that technology and on the IT teams to look after everything, and this has extended their remit from managing the “containers”, to managing all of the information that exists within them. This is not, and never was, effective or sustainable.

It is time for a fundamental shift – of attitude, culture and ownership.

Organisations must start to be prepared to take on the issue of devolved authority and accountability. This means making business managers responsible for the information assets, from creation for safe disposal, for understanding the purpose of the asset, its sensitivity which should drive the security (confidentiality), and its consumption and exploitation requirements which will drive understanding of need for accuracy (integrity) and user access (availability).

Security strategies can then be built with the business needs and the users’ requirements in mind, starting with “knowns” rather than perceptions and assumptions.

Until then, we are effectively doing the equivalent of trusting a car salesman to pick out the right car without understanding our family situation, the sort of mileage we do or indeed the fundamental purpose for which we want the vehicle. Simply delete car salesman and insert IT supplier.

Training of both users and security teams is lacking. Bear with me on this because we are familiar with saying users need education, but actually, security people do too. They need to know how to communicate with their users and leaders for the best outcomes. Finding ways to engage the users in security will not only bring better results in terms of operational security, there will be an overall raising of the positive profile of security as a result, and users supporting security to allow those professionals to become the expert advisors they are supposed to be.