Today is a nice day. It is 78 °F (25 °C) and sunny here in Garden City, NY. Today, I decided to actually take a lunch break and stroll over to Subway for a bite. On my way out, I snatched the latest copy of ISACA's Information Systems Control Journal. Although I did not get much past the guest editorial by William C. Boni, titled Mobility Changes (Almost) Everything! (membership required) it was worth a good read. Mr. Boni writes:

"The notion of treating an
organization's network as if it is a discrete
environment and developing security solutions to
guard against the threat of outsiders is dangerously
outmoded and an incomplete concept.
We need to understand that this pernicious
and outdated concept still affects our approach to
protection, and many people continue to operate
as if physical location is a reliable measure for
protecting organizations against risks of
information theft or loss."

ISACA Information Systems Control Journal, Volume 3, 2008
Very few active practitioners of the information security trade will disagree that the perimeter is fading, and that we are facing an increasingly mobile workforce. I blogged about this before, and I doubt that this will be my last post on the topic.


What I have always left unsaid, but what Mr. Boni clearly points out, is that we must realize that only very few people really understand
the consequences of this development. Most of our (implicit) thinking
still revolves around the old fortress metaphor; as long as you are on
the inside, you are safe. The way that most of us architect the
locations firewalls and Intrusion Detection/Prevention Systems, etc.
are all lively illustrations of this way of thinking.

Unfortunately,
the view of an organization as an entity with clearly deliniated IT
boundaries is no longer true (if it ever has been); modern
organizations are not castles or strongholds, they are open entities
with a very large number of interdependencies to business partners,
clients, suppliers, governments, financial institutions, etc. Our
global economy depends on organizations working together and adding
value at each link in the value chain. Information security
professionals need to be aware of that.

Mr. Boni also writes:

Increasingly, new products, services and
solutions require near-constant innovation. Innovation in a
global community--the creative spark that envisions new
experiences, products or services creation--comes as often
from the ad hoc, unstructured, interpersonal and
interorganizational discussion, as it does from formal research
initiatives.
That
observation is spot-on, and it is something we must listen to very
well. Information security efforts must be aligned with business needs (essential truths: never say no), and most businesses need to constantly adapt to changes in their environment.

Sometimes
that adaptation will be facilitated through innovation, but more often
it is through communication. Both processes relay heavily on
information procesing, and as information security professionals, it is
our job to facilitate these procesess to happen efficiently,
effectively, and securely.