We live in a world that is rather messy.
Russell Ackoff defined "a mess" as "interacting problems or issues that are not easy to appreciate as a whole" (Flood & Carson, 1993). You are in mess, if you can't put any structure to the situation.
Organizations are not closed systems. You can't measure everything because things change so quickly. The Internet is a vexing source of "unknown, unknowns". We depend on software, that if you look closer, is made up of piece parts whose source is ambiguous at best. Its "Office 2.0" for most employees with no definite way for the employer to tell what's good or bad behavior.
It is safe to say, that when it comes to IT we are dealing with ... an unstructured situation.
The growth in terms of volume, speed and diversity of data, devices and threats is non-linear. So our thinking about IT Security must also be non-linear.
For example, the correlation analysis that is used to flag a security incident or track an impending threat is very much divorced of cause-and-effect accuracy. We are left with false emergencies, lots of noise and inaction to priorities. We are still building "naive" applications instead of making them "street smart" and engineered with the knowledge they will be broken into and constantly attacked. Finally there is a tolerance to live with broken links. Yet to make informed security decisions we need to connect the rationale and outcomes of our policy decisions, cultural expectations, counter-intelligence activities and the lessons learnt from incidents.
We have to shift from securing an environment to surviving an ever changing ecosystem.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment