Communication is the Key to Security
It may seem like an oxymoron but communication is the key to robust Information Security practices. It is standard practice for security and IT professionals to communicate to their customers by proxy through strongly worded policies. These policies are then enforced by Human Resources or Management.
There is a sea change taking place in information technology however. No longer can information security defend the organization by erecting walls around the enterprise and filling the moat with generic policy. The “consumerization” of the enterprise by the infiltration of mass market technology has lowered the drawbridge and allowed many unauthorized devices and services to stream in and out of the corporate network. Bruce Schneier discussed this topic in depth via his January 15th 2011 Crypto-Gram Newsletter.
In order for information security to address the rapidly changing IT biosphere, infosec professionals will have to develop and hone the ability to effectively communicate with their customers. In December 2010, ISC(2), Information Security Forum (ISF) and ISACA released Principles for Information Security Practitioners. A quick glance down the “Principles” column and you will notice how heavily it ties into the strategic goals of an organization. There is no reference to esoteric security standards, policies or technologies. The entire document could be boiled down to the word Communication.
How you communicate with your internal and external customers is a linchpin in any organization’s information technology and security strategy. Unfortunately, many in the IT and Security profession are poor or inexperienced communicators who have traditionally had layers of management and policy to shield them from actual customer interaction. Looking at industry trends, these days are numbered, especially if you subscribe to the notion that IT professionals in the U.S. will have to hold significant business skills to remain competitive in the global marketplace.