This article can also be found in the Premium Editorial Download "Information Security magazine: Best practices for securing virtual machines."
Download it now to read this article plus other related content.
Amylin, a diabetes specialist pharmaceutical company, is busy developing e-detailing applications -- applications that provide physicians with information about its products -- for iPads. Sales reps who often have to squeeze their visits into a doctor's busy schedule love the capability to walk and talk with the doctor, all the while showing a flashy presentation on the iPad. The new world of mobile tablets, like the iPad, hold much appeal over the old ways of bulky flipcharts and heavy laptops. Amylin would see a positive ROI just by eliminating the need to print detailing materials every year.
Amylin is not alone. Almost every Fortune 500 companies has a strategy to utilize social, mobile, video and cloud technologies, either to optimize operations or better customer reach. This is what Forrester Research refers to as the "Empowered movement," where companies are empowering their employees with modern,
IT security simply doesn't have a choice: empowerment will happen regardless of security. Just as a few clever individuals will find a way to read corporate emails on their iPhones without IT support, consumer technologies will invade your enterprise independent of any adoption barriers. On the other hand, corporate IT is the only place where business can expect consistent, long-term support for the otherwise fragmented, self-provisioned initiatives. In addition, the organization can benefit from the central oversight and coordination IT brings, as siloed technology efforts can result in inefficiency and missed opportunities to leverage on others' experiences.
This movement in fact provides a rare opportunity for IT to reinvent itself. Think about it: Corporate data is going into the cloud, mobile devices are edging out traditional PCs, and social technologies are enabling ad hoc collaborations anytime, from anywhere. The status quo approaches simply won't cut it anymore. If there ever was a time to rethink existing security models, now is it.
So, how do you do it? How do you protect your company's most prized assets in such a rapidly changing business and technology environment? You need a new modus operandi:
- Engage the business. Meet with major business functions proactively to understand their approach to social, cloud, and mobile technologies. Offer the risk perspective and become involved in their strategy decisions. Recruit representatives as your eyes and ears and educate managers and employees about the risks of these groundswell technologies.
- Run at the threat and shape the outcome. Tackle the security fundamentals; do not chase the symptom du jour. This allows you to focus on your goals vs. changing strategies every time a new threat or technology enters the enterprise.
- Influence and incite security-aware human behavior. Your employees are now your perimeter of defense. It is imperative that they have a basic level of understanding of the risks with these new technologies. IT security can play an education and awareness training role. In fact, you should insist that a baseline for education is that managerial staff understand the risk tolerance level of the enterprise and master the skills for risk assessment so they can make intelligent risk-vs.-reward decisions on their own.
With the Empowered movement, IT security is being thrust into a crucial business function. With your support, the business can more effectively utilize innovative technologies to optimize, innovate, and compete. You can emerge from this process, transforming from the role of a utility provider to a partner, an advocate, and ultimately a trusted advisor.
Chenxi Wang is a vice president and principal analyst at Forrester Research, where she serves security and risk professionals. Send comments on this column to firstname.lastname@example.org.
This was first published in March 2011