Individual security professionals are never going to cope with the diversity of their users’ behaviour, says Peter Judge. Is there a way to satisfy all the needs of all concerned?
Security brings out people’s differences like no other IT issue. There is a massive generation gap in attitudes to security, and it is fuelling the security skills crisis.
Amongst users, young people are happy to put almost any information online in communities like Facebook, and this worries the old guard in It security, says John Colley of (ISC)2, and this worries the old guard.
Meanwhile, however, another generation could be more problematic. The older “catch-up” generation sees the arrival of Web 2.0 technologies, and is trying its best to get on board. Not having grown up with digital technologies, this group is much more likely to make elementary security mistakes.
Managing this disparity is an impossible task, and makes current security work unforgiving and unrewarding. CSOs have to simultaneously curb the excesses of the smart, while catching the fumbles of the foolish – and that’s before they start to worry about external threats.
And there’s another generation gap amongst the IT security professionals trying to deliver this. The first cohort worked hard on technologies like firewalls, the next lot created the procedures such as BS7799 and ITIL.
Now, IT security is on the cusp of becoming “professional” with its own jargon, and at least two strands are emerging: the anoraks who deal with deep technology, and the suits, who deal with the business issues and keep the people in the organisation on-side.
Security professionals – perhaps surprisingly – see cloud computing as a way to avoid these divisions, providing services which will satisfy the anoraks’ need for precision, and give the suits clear tools to offer the organisation. They could also provide enough collaboration and sharing for the younger users, while giving the older catch-up generation enough support and barriers to keep them safe.
That, at least, is the theory. Whether it works out that way will depend on IT professionals insisting on services that are suited to their purpose.
Cloud is inevitable – both for the cost-savings it promises, and for the fact that it mirrors the consumer expectations that users will be bringing to their workplaces.
Providers may still attempt to get away with services where we simply take their security on trust. It is up to secuity workers to insist on clearly explained and accountable services – and if they get it right, it could actually allow all of us to finally start to catch-up on security.