On behalf of APMG-International, I look forward to presenting at the IAITAM 2014 Fall ACE at Sandusky, Ohio. This will be my first presentation to IAITAM: I’ll be talking about some commonalties between IT asset management and cyber security. I’ll also present some case studies.
My background is cyber security and I spent two decades involved in a range of security issues for the UK government. Over that period, I noticed three significant shifts in security management, all highly relevant to IT asset management.
Shift One: Governments Step Away
The most significant shift of all was the movement away from an assumption of government control and ownership of security issues. In part, this was due to the need for security solutions that can keep up with fast-paced technological (and sociological) change. The rate of this change increasingly outpaced the ability of state authorities to produce countermeasures from their declining resources.
Some technologies associated exclusively with governments, such as encryption, have since become main stream. Many everyday services including banking and payments require what was not so long ago regarded as a staple of governments, and thus also subject to government secrecy. Even so, the mystique of a governmental hand in security has lingered. It was recently revived through numerous headline news stories about state surveillance capabilities and activities. But as the details of these controversies also show, democratic governments are unable to sustain these abilities without the innovation and flexibility that is provided by the private sector.
Shift Two: Working off the Grid
The second major shift I saw was towards everyday use of private computing capacity and capabilities, inside and outside the workplace – in particular through BYOD. The use of physical barriers to protect IT assets became decreasingly effective. Twenty years ago, I recall some government offices highlighting the flexibilities offered to their staff through homeworking arrangements. At that time, homeworking really meant that. There were pictures in the somewhat posed staff literature of the time featuring a mother at home, surrounded by her small children, all dominated by the large, office-provided PC (which undoubtedly had no security controls). The security risks at that time were slight, due to the lack of network connectivity. But as people started to go online, managers had to respond to the increasing security risks and vulnerabilities. Solutions included the provision of strong, government-approved encryption upon (then expensive) laptops plus two-factor authentication. Inevitably, such solutions were quickly made obsolescent by advances in mobile computing, in particular the arrival of the first Blackberry.
The constant shift towards miniaturization and portability was a challenge for IT security staff and much time was spent managing the tensions between the expectations of (often) senior staff wanting to work at all times just about anywhere and the increasing technical and other risks which new devices presented. It became a sort of arms race, where each vulnerability had to be addressed and countered, sometimes with expensive technology fixes – and always with expensive security staffing resources. All this against a backdrop of a need to save money and a stream of new technologies of convenience that often disregarded security needs.
I believe things did settle down somewhat with the realization amongst developers that in the information age everyone – not just those in government – has an obligation to secure their data. Nowadays there are technical solutions providing seamless security between personal and business use of mobile devices.
I think my experiences working within government include valuable lessons for non-government practitioners of IT asset management. In particular, data technology does not typically account for the increasing slew of national laws and regulations, many of them designed to control the flow of personal information – usually (though not always) in support of the rights of individuals. Some laws also protect states from crime and from espionage. In particular, the laws on the import and export of encryption technologies are many and varied. In this world of increasing cross cultural trade and travel, this is, I believe, an area where both individuals and organizations need to increase their awareness, simply to protect themselves from unintended conflict with local and national laws. That is something I shall be dealing with in more detail at the ACE conference.
Shift Three: Professionalism
The third shift I witnessed in the course of my government service was a most welcome drive towards greater professionalism. When I started work in the information assurance field, I was qualified only in terms of my previous service as an administrator, that is as someone who had “done” other types of security before and whose turn had come for a change within the organization. I was in good company since nobody else in my team had any sort of security or asset management qualification other than experience and a general “feel” for IT matters. The lack of appropriate certifications or qualifications at that time made it difficult to counter impressions about our lack of appropriate skills. Though we tried very hard to produce pragmatic security solutions that put business first, we were therefore always vulnerable to the charge that we had no sort of oversight of our decision-making. That in turn left us open to claims that we were implementing security measures for their own sake and without a sound business justification. As an example, there was much argument over some vulnerabilities presented by the then new concept of Internet mobile code. Our legitimate security concerns got amplified in ways that made it seem as if the security office was on a mission of its own to block useful user features rather than preventing possible damage from what was then untried technology.
For my part, I realized as a result of this adversarial model of security experts vs. practitioners and users how it essential it was to obtain some sort of peer assessed certification. I therefore took up the opportunity to help build a new one that was being designed specifically for government (since then developed into the CCP [CESG Certified Professional] certification. In this effort, I received very little encouragement – and no financial incentive. In the longer term, I was rewarded after leaving the civil service. But the lack of an incentive for civil servants to obtain professional accreditation was also noted following a high level enquiry after the catastrophic loss in 2007 of millions of social security records.
By the time I left government, it seemed to me that much progress had been made in its efforts to professionalize the generalist civil servants responsible for cyber matters. It certainly seems impossible now for any civil servant involved in this ever-changing subject to fail to undergo some sort of peer assessment as a condition of their progress in the field.
I look forward to developing these points further at ACE in November and hope to see you there.
APMG-International is an IAITAM accredited training organization. Based in the UK, it is a leading examination institute which accredits training and consulting organizations and manages certification schemes for professionals.