Information security journals are often boring. The typical story these days summarizes a technical, managerial or legal concept, and then lists a recipe of controls that the author thinks should be applied to said concept.
In this light, William C. Boni’s, CISM, guest editorial “Mobility Changes (Almost) Everything!”, in volume 3, 2008 of the Information Systems Control Journal, is a particularly refreshing surprise. The story discusses today’s environment of ubiquitous connectivity, consumerization of IT, and cybercrime, very welcomely dismissing the cookbook approach. Here is a rarely stated point I find particularly important:
[M]ost IT organizations impose strict controls over users’ workstations and limit the choice of applications, claiming “security” (what some pundits have called “Software Stalinism”) requires these controls.———The problem with the forced-controls paradigm is it runs directly counter to much of the value-creation model of the 21st century economy.———If “baroque” network security architectures and policies do not accommodate and enable an innovation culture, then they risk imprisoning the creative staff in a sterile shell of controls that stifle agility and productivity gains, which may ultimately leave the organization uncompetitive in the global market.
The gist of the editorial is that today’s information security threats cannot be effectively countered using technology alone, and that a holistic, creativity-friendly approach is required instead. I totally agree. Effective security stems not from technology products, but from knowledge, responsibility and empowerment on the part of rank and file employees.
The entire article is also available on the ISACA web site. ISACA members can read the story now; the public should be able to access it from the summer of 2009.
What do you think? Are we at the mercy of solution vendors? Please post your comments!
Post a Comment