Security as the Tipping Point for Tech Infrastructure Consulting

I was thinking today about how current best practices for securing the enterprise and the continuing evolution of the threats is demanding a different perspective on how to build, develop, and secure a robust infrastructure for the a decentralized workforce.

This post is my opinion on how the new kind of IT practitioner is meeting these challenges in a more horizontal way. In fact, the whole idea of “infrastructure” has been undergoing a deconstruction for years, certainly ever since the Internet became a meaningful business environment. It’s no coincidence that one of the fastest way to identify old-think tech folks is how they treat security. And it’s probably true that “as goes security, so goes the rest of tech consulting work.”

It is usually pretty easy to spot the “security guy” that doesn’t actually get security. He is the one that says you need to do X to “protect yourself from the external attacker!” Sorry to tell you but the external attack is dead. We have spent the last 10 years building so many moats around our villages (our networks) that we forgot to realize that the village idiot lives on the inside right next to the king. Security is not just about the external attack. Security is involved in every part of the infrastructure from the WAN to the PDA to the digital camera an employee brought in to upload some photos.

Internal users, whether they are located in your building or not, are more of a risk today than ever before as businesses decentralize and build more mobile work forces, outsource, offshore. The lines that old school security engineers relied upon and used to delineate “security zones” are disappearing. A holistic security plan has always been preached in the universities, books, and training seminars that security engineers and security consulting firms have attended. What has changed is that holistic security used to be a nice to have but now it is a must have. Consulting firms still do not understand the business reasons for a specific security technology, don’t understand the technology itself, and very few work with the customer to ensure the product succeeds at actually reducing their risk.

The village idiot is unable to steal from the village if all the villagers’ doors are locked and windows shut. The new IT practitioner understands this approach and how the various security technologies work together to form a strong infrastructure. It is not about what Product X can do for a specific risk, it is about how that risk reduction affects the other risks within the organization. It’s about balancing the risk with the return.

This change requires a different perspective when building, developing, and implementing secure and robust infrastructure. Organizations must meet the challenges proposed by a holistic security approach and realize that since the advent of the Internet businesses have decentralized their infrastructure without decentralizing the security infrastructure. As the two become more and more decoupled from an architecture and geographic perspective they will actually become closer to each other in regards to the organization’s risk. Neither the technology infrastructure nor the security infrastructure can succeed independently.

This entry was posted on Friday, December 28th, 2007 at 1:54 pm and is filed under Entreprenurial, IT Consulting, Network security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.