As someone who has always been interested Information Security I find the current trends in digital communication fascinating and how organizations react to these changes (or don’t) even more so.
I recently completed a security audit with a potential client in the banking industry and they wanted to know if we allowed chat or people to take storage devices out of the office. I had to tell them we live on chat to collaborate and that there is no way I can prevent cell phones from coming in and out of my company (with their evil little SD cards).
What struck me as odd is the anachronistic nature of these questions. Obviously the intent is correct (establish a secure environment for data), but the manner in which this is attempting to be enforced is bordering the absurd.
Heck, it is possible to store a meg of data on a birthday card these days. How does one stop that?
Combine this with the mad rush by Corporate America, the media and even governments around the world into social media and the problem becomes immense. The standard response by the infosec types is to “block” such undesirable communication with the outside world, but even that approach is futile. (Sorry guys, but the metal scanner at the front door doesn’t detect SD cards.) Even if the firewalls are set to filter out the offending protocols and URLs for the organizational hoi polloi, you know that there are people sitting in the Marketing/PR cubes huddle around the company Twitter and Facebook accounts extolling its virtues…in theory.
In a nutshell, the Process People have utterly lost their way. Technology can no longer solve the problem so the Stone Tablets are retrieved from On High in an attempt to overcome this. PIPA/SOPA are prefect examples of this: heavy-handed approaches to a problem that doesn’t have an elegant solution because the wetware always finds ways around the rules. On a certain level I find it somewhat amusing because technology is moving us back to the honor system. Enforcement through objective and amoral devices is becoming the digital equivalent of asking someone to take his shoes off at the airport: Sure, it makes Execs feel better about “something” being done, but it is highly limited in its effectiveness against anyone serious in gaming the system.
My advice: spend the money on hiring people you can trust, explain the gravity of the responsibility that they bear and remind them regularly. Our information security salvation is dependent upon our ability to share the burden of treating it properly.