Repost - From IT security to information security and beyond...

Over the years, yours truly has been heavily involved with the evolution of the modern “comuter security” function in a number of organisations. I thought it might benefit readers to receive a brief history lesson, take a current pulse check and look forward to the future of the evolution of the information security function.

In the 1990s the security function in an organisation was called “IT Security” and looked a little like this:

• The team had an asset centric focus, with a focus on deploying, maintaining and managing protective technologies including anti-virus software, web content management, firewalls and intrusion detection systems.
• Security products were typically ‘bolted on’ to technology environments to help mitigate underlying deficiencies and IT security teams were always looking for ‘silver bullets’ from security vendors to resolve security concerns or at least point at when a security breach occurred with a “hey we tried look we bought a widget that said it fixed that”
• IT security’s role involved saying ‘no’ to projects with little explanation or justification mostly because personnel had no idea of how to comply with policy.
• Organisations relied on a perimeter based approach to network security, with these perimeters typically being well defined due to physical security
• Security reported to the CIO for budget and the CIO often declined security team requests with a lack of budget being a number one concern for “security managers”

The modern information security practice of the early 2000s looks more like this:

• The focus is on data and a risk driven approach to securing it wherever it may be.
• A key activity is securing the expanded enterprise with corporate and customer data held by service providers 
• Many organisations are successfully preventing accidental data leakage by employees with signature based technology such as Data Leakage Prevention (DLP)
• Security is focused on saying yes to project teams and the business and making sure key building blocks are available for consumption such as typical deployment patterns and reference architectures with security built in with a “look here’s one we prepared earlier” attitude.
• The network perimeter has been expanded to encompass corporate mobile devices and corporate wireless systems
• More security controls are delivered is through the upper layers of the Open System Interconnect model with Web Application Firewall and Identity and Access Management products are being use to secure access to applications and databases
• Security controls are embedded in infrastructure builds through security engagement with SOE builds.
• Security is built in via security standards and process as part of the Software Development Life Cycle (SDLC) focusing on mitigating vulnerabilities
• The security team reports to the Board, keeps the CIO honest and often is well funded due to executive level concerns about brand damage and service interruption due to well publicized security breaches.

The future of the information security function might look like this:

• Increased service provider focus due to “cloud” focus with service provider selection and evaluation for a defined set of use cases for hosting as a key competency
• Security playing a key role in driving corporate strategy and providing constructive criticism in the area of cloud adoption especially in the fields of service orchestration and business continuity
• Extensive use of personal devices for corporate activities (phones. tablets, home PCs) for teleworking/mobileworking with a selection of security controls that balance security with user experience
• Widespread use of security services provided via the cloud such as: threat intelligence, web proxy and malware detection
• Full charge back models being deployed for use of security services direct to business units on a per employee or per customer basis, making the security function self funding.
• Malicious data leakage detection undertaken through extensive network and system data analytics
• Building and selecting secure systems through SDLC and procurement processes, with a focus on consistent key security control implementation
• Software defined networking and full virtualisation of the network
• Horizontal service based network segregation rather than vertical tiers
• Enabling developers to self assess the security of their code, libraries and dependencies to facilitate containerisation adoption, reduce time to market and eliminate environment inconsistencies.
• Security perhaps reports back to CIO whose role has evolved from IT asset management responsibility to data and service provider governance with alignment rather than opposition to information security objectives.