A recent IDG interview of Bob Gourley and Andrjew Kawalec delved into the problem of the “traditional” method of enterprise security, a paradigm under severe challenge. We can sum up the traditional approach as less a certain tactic, technique, technology, or policy than a way of viewing the world.
As Gourley has noted, traditional enterprise security can be characterized with one of these bullets:
- Primarily exists below the CIO level and is primarily thought of as a technical–rather than policy–matter
- Is based on point defense of all access points (The Maginot line approach)
- Doesn’t provide defense-in-depth
- Is not about the enterprise as a whole
- Does not take into account enterprise use of computing technologies besides PCs
Enterprise security, in the traditional approach, is thought of as an technical issue rather than a policy problem. This limits the ability to think strategically and keeps the conversation (and policy) focused on tactics and technical measures and counter-measures–losing sight of overall problems and solutions that are typically decided at the CIO level. Point defense is seen as a viable solution to dealing with security problems, a solution with a poor historical track record in both military and private security contexts. It does not focus on the enterprise itself but looks narrowly at a discrete set of technical issues, and similarly is blind and deaf to the growing enterprise use of “post-PC” mobile technologies.
As noted before, this is an aggregate set of practices formed by an underlying worldview rather than a deliberate policy that a Bill Lumbergh sat down and decided to inflict on his subordinates. It was formed less by deliberate design than a confluence of factors, including the dominance of the PC as a singular computing practice within the enterprise, the relatively primitive (compared to today) nature of security problems, the marginalization of computer security as a technical rather than policy issue, and an desire to minimize loss by attempting to protect everything within the enterprise.
Although military examples are often useful in looking at attack/defense dynamics in the cyber world, a more mundane example from private security also illustrates the point. Dignitary protection, a fairly standard mission for both private security in the corporate, political, and entertainment world, is not just about neutralizing a discrete set of technical threats (the stereotype of a bodyguard checking for bombs or people with guns). It’s also about understanding and calculating plausible threat scenarios informed by a knowledge of the principal’s everyday lifestyle, security weaknesses, likely adversaries, and many other factors. Point defense is a worst-case scenario, and is arguably seen as a denial of tradeoffs inherent in the profession.
Obviously, the creation of the CIO itself (and the similar rise in CTO positions) is a symptom of greater change in both government and private organizations. The idea that technology policy within an organization can be centralized and strategically directed in a long-term frame has enormous implications for the way we think about enterprise security. We’ll be discussing these issues in more depth at the FedCyber Government-Industry Cyber Security Summit and hope you’ll be able to attend.