It’s no surprise that we have seen a nearly constant march toward a highly connected digital world. We are all witnesses to this accelerating digital evolution. It is happening right before our eyes — sometimes quite literally right in front of our eyes, with technologies such as cyber eyeglasses.
There is also a continuous stream of discourse on both the positive and negative aspects of this digital revolution. Many laud detailed, insightful solutions such as IBM Watson for the tremendous benefits they bring to the health care industry. This acclaim contrasts with health concerns related to the extensive use of certain technologies, such as cellphones.
Very few of these discussions, however, have focused on the disconnect inherent in the digital ecosystem. These inconsistencies can create concerns related to information security, privacy and compliance.
Connecting a Fragmented Digital World
In any major evolution, there are always going to be gaps in the desired or even expected connections. The aggressive move toward train travel in the 19th century had a signature moment in the U.S. when the transcontinental railroad was completed in 1869. During this time, however, there were still some 20 different rail types that would necessitate difficult transitions for people and goods traveling around the country.
The ongoing transformation to a digital world is no exception, and there are certainly myriad disconnects to be found. We will focus on several key areas in which these disconnects may present issues related to security and compliance.
Communication From the Top-Down
Let’s start at the top — in this case the top of the organization. Business leaders indicate the importance of security and compliance to the organization in a variety of ways. Common vehicles include periodic communications, general conduct guidelines for members and specific policies related to information security.
Is there consistency in the messages transmitted to different levels of the organization? Does everyone buy in to the level of importance? In practice, does the behavior of the organization differ in substantial ways from the overall goals of the enterprise? The answers to these questions can help IT leaders identify material disconnects.
To cite an example from our daily life, I’m sure most people understand the need to drive cautiously and at appropriate speeds. Everyone knows the posted speed policy, and yet many drivers exceed the limit. A comparable example in the enterprise IT world would be a policy requiring the encryption of all confidential data at rest. Some employees might ignore this standard due to the increased complexity and other performance factors that might result from full compliance with the policy.
Contract Negotiations
Another area that could present substantial gaps is formal contract negotiations between parties. A great deal of effort is put into establishing a contract that protects the interests of both parties, and there are often specific requirements related to the protection of information and services.
However, it is not always straightforward to accurately translate all the applicable contract provisions into actionable policies and procedures for a particular IT deployment. Also, there may be several layers in the organization between those who negotiate the contract and those who interact directly with the data and services. Do the people in charge of implementation and operation understand all the relevant IT security provisions of the contract? In practice, does the environment provide the necessary protections?
Policy and Tools
How about an example from an area that is near and dear to many IT practitioners? That is, the availability of tools that effectively and efficiently support policy rules. Creating good information security policies is certainly hard work, but it is often easier to get the new policy down on paper than it is to acquire, develop, deploy and migrate to tools that can operationally support new policies. This disconnect can lead to additional cost, complexity and inconsistencies in security posture within the organization.
The example above is related primarily to privacy, security and compliance tools, but what about the solutions we utilize each day to get things done, both in our professional and personal worlds? Are there situations in your organization that present gaps in a consistent security posture? Do certain solutions involve stringent controls while alternate, approved solutions have lax controls? Perhaps your organization has specific policies regarding the protection of confidential data in enterprise-provided tools, but the bring-your-own-device (BYOD) option and related services present opportunities to overlook or bypass controls.
Information Blindness
Ironically, the continuous stream of digital information itself can create a dissociative effect. Digital feeds such as social media, email, enterprise messaging and collaborative communities inundate individuals to the point where they become info-blind. People are unable to recognize the important slivers of information within the digital landscape before them.
How many helpful informational messages are sent in your organization each day, week and month? Are personnel now in the habit of simply filing these away or deleting them before absorbing what may be an important security item? In the same way that startups and DevOps talk about the minimum viable product (MVP), as described in “The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses,” by Eric Ries, perhaps we need something akin to a minimum viable digital insight for security.
For individual consumers of information, you may want to check out “The Information Diet: A Case for Conscious Consumption,” by Clay Johnson, for thoughts on managing the digital flood.
Mind the Gaps in Your Digital Transformation
I’m looking forward to a time when more IT security professionals can make use of newly available solutions that deliver greater levels of awareness, deep insights and subject matter expert (SME) augmentation, which can dramatically increase an organization’s security posture.
Solutions such as IBM Watson Security for Cyber Security and the new IBM Machine Learning offering depend on extensive data feeds from the digital world. They may even be able to identify certain gaps in privacy, security and compliance, but there will always be a set of disconnects that we need to identify through a variety of other means. As we keep moving forward with our digital, always-on evolution, we should always remember to mind the gaps.
Learn More About IBM Watson for Cyber Security
Chief Information Security Officer, IBM Research