What’s the future for information security? For Paul Simmonds, a former Chief Information Security Officer at AstraZeneca and ICI and who is now with identity management body the Jericho Forum, the answer – and the way for today’s CIO to intelligently start dealing with that future – is this: "Start designing everything now to be externalisable."
Not the prettiest neologism you’ll read today, maybe – but still a very useful one.
To understand what Simmonds means by the word, you have to follow the logic that led to it – and to do that, we need to start where most organisations are today. Which is not a great place, it seems.
"We’ve been working on an assumption that you need different levels of security for the internal network versus the external one, the Internet – the Big Bad World out there," he told CBR this week. "That’s been an incorrect assumption for at least ten years."
Why? Simmonds uses the example of that fleet of multi-function photocopiers dotted around the organisation that you probably don’t give that much thought to. What they actually are, of course, is a Linux box connected to a hard drive and an external modem – and hence offer a perfectly fine way to get in if you are a miscreant.
Then there are all those outsourced consultants walking around inside your corporate walls with their own PCs and laptops cheerfully connecting to the network. As in – your network.
"The reality is that most CIOs have no idea what the Hell is on their network, not its provenance, what state it’s in, let alone its state of vulnerability," he says.
So – first step, hygiene exercise; identify all that is on there, perform a patching and protection exercise and Bob’s your parent’s fraternal, surely? Not quite, says this former CISO.
"It’s very important to work out what is going on the network but then the next step has to be looking in detail at your connections – what is connected in and out. And of course, you want lots of connections to the outside world – that’s what doing Business is all about these days."
But what about control? This is possibly the interesting step that leads us to that ‘externalisable’ word. In a connected world, where organisations, including of course the internal ICT organisation, are outsourcing and forming webs of relationships with all sorts of entities, total control, the sort of control you might have had back in the client/server day, just isn’t feasible – or even, he thinks, desirable.
Instead; dissolve the perimeter. Or at least live with the fact that it’s porous. Instead, look to create each and every new service or application going forward as always having to work an interface with the external (Internet, possibly cloud) based world.
Fine – but there’s the element, plainly, of risk. Which is where Simmonds’ next radical solution comes in. "None of this will work without really good identity management, so that you go from just allowing any external person to come in by routing their IP address to knowing who is who and allowing them to only see what they need," he argues.
Interesting, if possibly provocative stuff. We think these kinds of ideas should be informing any and all CIO-CISO and probably CEO conversations in the days of the smartphone, USB, iPad and what have you. Hope you agree – and see something useful in the ‘externalisable’ world we are moving into. Like it or not?