The IT world is shifting around us, much the way the world changed back in the 16th century when empires began to require control of the high seas to protect their economic interests. Go back ten years, and a CIO could reasonably expect to protect a vulnerable tech resource by trudging down to the data centre and unplugging it.
Nowadays, there’s no telling where in the world our critical resources and information might be at any given time. Our operating environment has changed, and so too must our mental model for how we provide support and security to our business. The old fortress model of IT service delivery worked well for years: our critical components were safely ensconced in a physical data centre that we protected with sentries, locks, and the occasional policy moat. If you brought a Roman legatus forward in time and appointed him CIO, he’d have very little difficulty picking up the core concepts of 2000s-era systems protection.
Fortunately or unfortunately, that model is mostly done for. Today, we shift our servers all around the globe to meet instant demand, usually without ever being quite sure which country they’re operating in at any given moment. Instead of dumb terminals and dumber apps, we arm our workers with laptops, tablets, smart phones, and (soon) wearable processors that meander anywhere the employee’s whims might take them. We can never be sure at any given time where our critical resources are, other than “somewhere on or reasonably near Earth”. That means we have to change our model of how to go about protecting our people and our assets.
The fortress model needs to give way for a more nautical one. Back in the Golden Age of Sail, empires had to give great leeway to ship captains to figure out how best to protect their vessels, crews and cargo while operating largely outside the support of (or interference from!) the Admiralty. That need for independent action and the demand for sound judgment meant that naval officers were expected to be highly trained, well-rounded in all aspects of operating their ships, and eternally conscious of the need to pay attention to everything that happened within their sphere of influence.
We need to apply that same mental model to training and equipping our distributed team members. There’s still a need for a strong CIO, CTO, and CISO in the enterprise, just as the Navy always needed strategic admirals and planners. Our line of battle, however, must operate independently from the CIO. As part of our transformation to a work anywhere/work whenever culture, we need to greatly strengthen cyber-security education for all users, and change our policies to put significantly more legal and operational responsibility directly on each line employee as an independent officer.
It’s not corporate HQ’s responsibility to secure, monitor, defend and troubleshoot IT kit in the wild anymore – it’s the operator’s job, and the operator must understand that they’re individually accountable for their every lapse in professional judgment. We still need to arm our cyber defence teams with all the latest detection kit and countermeasures; that’s not in dispute. What needs to change is our assumption that our central security departments are sufficient protection on their own.
We need to think of the central intrusion prevention systems and anti-virus servers as coastal artillery guarding a safe harbour; we can protect our mobile fleet only so long as they’re safely moored within a protected corporate enclave. The moment the user disconnects from the enterprise network, they’re sailing into pirate-infested waters – and every user needs to understand that.
These security operations metaphors aren’t excuses by which to absolve the CIO’s team from blame for a breach; rather, they’re conceptual maps for reimaging the new business world, so as to better define for all involved what we realistically can and cannot do to support our distributed users.
If your CIO runs their operation like it was still 1999 – with draconian access policies, inflexible standards, and an insistence on conventional wired networks – then it may be time to replace your CIO. The BlackBerry and iPhone irrevocably changed our world, and we have to change our support tactics to accommodate how business is now being done. We have to accept and embrace the fact that we’ve lost a great deal of control over our resources. We have to arm up our people to take care of themselves wherever their job happens to take them.
