“Embracing the new IT reality” by Carlo Kristle G. Dimarucut (December 5, 2011)

SUITS THE C-SUITE By Carlo Kristle G. Dimarucut
Business World (12/05/2011)

Information Technology (IT) is often seen as a crucible for change in many organizations.

An organization’s fundamental functions often pivot around the capabilities and boundaries of IT. But for some reason, the use of cloud, social media and personal devices in the enterprise has caught most IT organizations unprepared. Suddenly, everywhere one looks, employees are surfing on smartphones, tapping tablet PCs, and tweeting indiscriminately, to the dismay of IT security.

The continued blurring of the boundaries between personal and corporate devices will push organizations to consider seriously a whole new approach to securing information. Security in the past has been focused almost entirely on perimeter controls. In fact, one can presume that a good portion of most companies’ 2012 security budgets are still focused on perimeter controls and its traditional counterparts. Nonetheless, the rapid pace of the adoption of these popular device technologies has inevitably compelled organizations to respond somehow. In Ernst & Young’s 2011 Global Information Security Survey (GISS), it was shown that only 20% of the companies surveyed do not have plans to use tablet computers and other employee-owned devices.

The survey identified some uncomfortable realities we have to concede to and address with regard to IT security.

First is that the average organization’s IT department has lost control over the actual number of devices that are using and controlling its data. An increasing number of companies are offering support for employee-owned devices instead of providing devices with a preconfigured system. With this shift in ownership, organizations relinquish some of the control they used to exercise by limiting support to a single consistent software build. With cloud computing making a big splash on the consumers, the barriers for a user (or department within the organization) using a free cloud computing service that its IT system cannot provide has become a very easy exercise. Cloud-based e-mail services and data storage services can already store critical information from the mobile devices of the CEO, COO, and CFO and other C-Suite leaders, crossing geographical, juridical and organizational boundaries. And from compliance to contractual obligations to risk management, this spawns a plethora of issues which may be difficult to handle.

Second is that we are all one Tweet or text away from an information breach or corporate security leak. From Ernst & Young’s 2011 GISS, it was observed that 57% of the nearly 1,700 CIOs and information security and IT executives from 52 countries said that the risks brought about by these new technologies are being collectively dealt with by adjusting existing policies or ramping up security awareness activities. This indicates that a majority of organizations recognize the lack of any technology capable of strictly enforcing information control policies, and that we can all be victims of a disgruntled insider or an ignorant user with legitimate access to the corporate database.

Third is that social media and the risks associated with it will eventually become accepted and allowed in all but the most restrictive of organizations. Social media has been around for at least 10 years now, but never has there been a period where its pervasiveness had made its way into the personal conversations of organizations’ work force.

Arguably there are certain benefits in allowing social media into the enterprise but ultimately, most survey respondents said that social media entered through the backdoor via the top management’s smartphones and tablets. This poses a significant problem for users who “trust” social media because they trust the senders. For years, we have instilled the mind-set of never clicking on uncertain e-mail links to avoid viruses — the same practice now has to become commonplace with regard to links sent via social media. Most companies made significant headway in killing off trust-related attacks via e-mail. Unfortunately, through social media, these attacks are making a comeback into corporate networks.

It is time for a shift in perspective. The information security landscape has changed and no single fix can truly, fully protect corporate networks from attacks. The new approach is organic, predictive and enterprise-wide. IT organizations have to accept the reality that handing down rules and policies from on-high is useless; the only way to retain some control over users is to go with the information flow.

The advice to companies is this: Do not ban change — embrace it. Restricting use of personal devices will not solve anything — it will just encourage employees to find workarounds for the devices and technologies that they want or need in order to do their job. Rather than implementing ineffective controls to keep them out, IT management should examine ways of securely enabling these technologies while protecting and optimizing the access to information.

At the very core of it, while information security should be a fundamental element of any organization’s overall business strategy, keeping pace with innovation and technological development should also be seen as a measure of competitiveness. There should be a coexistence, not conflict. Inculcating this progressive and open mind-set into an organization’s culture will not only help secure our environment, but can also encourage dynamism and build knowledge.

(Carlo Kristle G. Dimarucut is an Associate Director SGV & Co.)

This article was originally published in the BusinessWorld newspaper. It is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.