Data security has never been as hard as it is today. And it is going to get harder. Why? Because it is becoming more embedded in everything we do; and because we, not technology, hold the key to the future.
The protective walls of the corporation came tumbling down a long time ago. This is not about erosion – they are already gone. Target, Wendy’s, Playstation, all have suffered massive losses of customer data. Utilities, banks, public institutions have been compromised, and will continue to be so.
Not only are a significant number of computer systems connected to, or indeed, run from the internet, but also the ways we access corporate data have fragmented beyond recognition. Within the past decade, mobile devices have gone from being exceptional to the norm. And millions of potentially insecure devices are now being connected, in the guise of the Internet of Things.
So, is all lost? Not necessarily. There is still a place for a robust security architecture, built on the principle of the ’separation of concerns’ — that is, limiting risk by considering how and where business data needs to flow, and putting appropriate safeguards in place. Indeed, I wrote a book about it.
We can talk about technical features and governance mechanisms to be built into such an architecture, as is good and proper. But data security is never, ever going to work without taking on board the most important, yet least predictable variable in the triumvirate of people, process and technology — the people.
In technology industry parlance, the term ‘consumerisation’ has been used to describe our increasing propensity to use our own tech in the workplace. But the principle goes much deeper. Consider, for example, how people expect to take their phone number with them when they move companies.
In general, employees will follow the rules, particularly if their contract says they have to. Acceptable Use Policies are a useful tool against direct abuses of computer systems, software and services. But you don’t need to be a behavioural psychologist to know that people hate to be told what to do if it appears pointless or indeed, counterproductive.
This goes right to the top. Gone are the days when senior executives expected their emails to be printed out for them, so they could dictate a response. Today, they are as tech-enabled as the rest of us, and expect to make full use of what is available — even if it means using their own devices, due to perceived inadequacies of corporate IT.
Is there an answer? Well, yes there is, but it requires looking way beyond current environments and towards the workplaces, and work forces, of the future. Not only are people becoming more tech-savvy, they are also more transient. Companies hire less and subcontract more. Where once they built, today they partner. And offices are replacing cubes with collaborative spaces.
This brave new world of work is built upon a spirit of trust and collaboration, with smarter organisations drawing on the broadest pool of stakeholders — co-creating with customers, suppliers and even competitors. While this approach puts people first, it nonetheless requires boundaries to be set and enforced — but without getting in the way.
Agility is key to the future, in data security as in business. For security to succeed in such a flexible environment, it needs to consider the role of data as an enabler to collaboration, as well as offering service provisioning mechanisms that are considerably more straightforward than today.
If you create an environment which hinders, rather than help people to deliver on the needs of the business, you will increase, not decrease strategic business risk. While this creates a dilemma for any security professional, that does not make it wrong. As organisations evolve over the next decade, we shall see this point proven again and again.