Security’s Evolutionary Theory

Security and risk awareness have been part of the lives of humans from the very earliest days. At its core, security focuses on keeping things safe.  In a business environment, complete safety can restrict access and availability, and is therefore impractical.  Focusing solely on security, without balancing associated risk, is unrealistic, as businesses need to take certain risks to grow and be profitable. Let’s look at the history of security and risk to see how we can bring the focus back to business risks and away from simply protecting, or securing, assets.

A long time ago in a place not so very far away…

Near the dawn of historical time, people lived in extended family units. The men, mostly, went out and killed wild beasts to bring home meat for the family while the women and children, mostly, gathered the fruit and berries that were the gastronomical main stay.

Hunting was a high risk activity, since both the prey and their natural predators tended to travel together.  People would, more often than not, be injured or die while hunting prey, or the predators (let’s call them lions) would drag off a family member while they were preparing meat from the hunt.

At some point, the family group decided to reduce the risks and started to capture and keep the animals they were hunting. This took some time, but eventually we settled down into villages where food could be grown and meat was readily available. Living in villages allowed multiple families to live together and helped reduce, but not eliminate, threats from predators.  On occasion, the lions would sneak into the village at night to steal meat, and sometimes even a village member!

Threats come from inside as well as outside

To protect the people, the village elders decided to put a fence up around the village that could be closed at night to keep the lions out.  This strategy reduced the risks by protecting against the threat of lion theft and attacks. It worked until a dead villager was found and their meat was missing. Lions were blamed until no signs of a lion attack were found. At this point, the villagers realized that, though not as numerous, there were some serious risks inside the village gate.

The walls get stronger

This fence-and-gate mentality was expanded, as villages grew into cities and elders became knights, dukes, and kings. As the leaders became more important, the fence was replaced with walls and a castle with a fortified tower. The castle was stronger than the fence. However, in the heat of battle between two opponents, there was always the chance that someone from inside the castle walls would let the attackers in, resulting in significant loss. These risks were considered minor, until that breach occurred, and then were recognized as an acceptable risk. As defenses were expanded, technology kept up with new methods of attacking. Within a castle, more layers of defense could be put in place between the attackers and their new methods of attack (not just lions any more), and the goal of their conquest (food, gold, fair maiden, the king).  With multiple defensive layers, the risk of a successful attack was reduced to an acceptable level. Over time, as technology continued to evolve, so did our means of protecting ourselves.

Protecting the keys to the kingdom

Eventually, in business, as in life, we realized that all types of fortification were only as strong as the walls protecting them. This was the catalyst to the invention of encryption. Encryption allowed us to hide messages in transit and protect information at rest while still in our keeps. This focus on layered security continued as information technology infrastructures for business were developed. Security has often been considered a business inhibiter — curtailing the use of new technology and innovation. With the use of electronic networking, the battle between security and business continues to grow. Evolution of networking

Networking today has evolved so that the gate, or wall, around our business is assumed to be breached. We are electronically connected to our business partners at a system level, and most of us are accessing our email from smart mobile devices we keep in our pockets. The current industry trend is that smart mobile devices and tablet computers are going to replace the PC and laptop. This means that critical business data will need to be, or is, housed in a shared information system in a corporate data center or in “the cloud” where the security around it is further out of your control.

Evolution of security

As with the path from moveable structures to villages and castles, security innovation continues to evolve.  As a result, IT security professionals are adapting to keep pace with this evolution.  They are beginning to focus on business risks and are partnering with other business units to allow new innovations to be used quickly while allowing the business to operate inside their acceptable risk parameter.

The bottom line

We need to start looking at security not as breach prevention or loss prevention, but as an integral part of the business decision-making process to identify and mitigate, or lessen, business risks not just protect information needed to run the business.

To learn more about the evolution of IT security to IT risk management and learn about a new approach that protects critical business data in an edgeless environment while allowing for innovation, please register for the April 30th webinar IT Risk and Security Rewards.

Steve Hurst Managed Security Product Director AT&T About Steve