Perception and Management

The network around data protection is not simply shifting around “company data” itself, but rather that concept is itself breaking down. This is a result of technical change and an example of the necessity of symmetric treatment of the human and non-human in ANT. Latour (1999b) noted that a gun and a man do not of themselves constitute the same pregnant potential as a gunman. In the same manner, company information processed in manual ledgers is as valuable and nearly identical to the same data stored on a computer, however the possibilities for breaching the security of that data on a computer are different. The combination of data, the storage medium, the access medium, the state of technical and procedural security controls and of the methods to defeat them, the motivations of those who would attempt that defeat and many other factors are not static but form a temporary lattice renegotiated with every change in each.

“Actually to me the question you're asking is, ‘Who owns the data?’ And this is a debate that I've seen in a number of companies, because traditionally IT was seen to own the data, therefore it was up to IT to secure the servers ... Obviously that is IT's function, to have those technical controls, but actually my view is the data's owned by the business.”

[TEC72E-AN91]

There were signs here of a Business Ownership, IT Custodian model of responsibility. This moves security clearly to a role as mediator and specialist, responsible not merely for ensuring the safety of the electronics from within but for the safety of the information from without. That suggests the migration across the organogram promised by Neal (2008) and with it the partial liberation from a prior career in system administration, but also brings the assault on the black box of “Information Security professional”, still very clearly linked with the operation of computers. As however the study considers the network today, where this tension has not yet been somehow usefully resolved and the security professional exists in a hybrid state, how they are regarded in their work environment is highly relevant.

Distance from the grubby business of operating firewalls may have advantages, however those

firewalls must be in some way supervised and brought within the sphere of the security professional, to ensure a coherent and comprehensive claim to knowledge. As externals to the business processes and – eventually, possibly – the technology of execution, the security professional must influence from afar. Power in hierarchies is complex, particularly in today’s matrix environment. The organisation seeks ultimately to preserve its resources thus they are only usually spent in search of reward or reduction of risk.

“Everything is always for the business. If it has an impact on the running of the business then fine, if that's the way we need to do it then we'll have to do it. Just so long as it doesn't have a detrimental effect on the business.”

[TEC11S-ID48]

As seen both from the literature and the data here, that relationship changes over time as the pressures of easy process and extra margin compete with memories of last month’s now-forgotten crisis, therefore stability ideally requires a relatively unchanging external factor such as regulation for its crux. Outside such direct coercive action, the security team must accept that by placing themselves in the position of consultant on processes rather than the experts on technology, they lose the ability to instruct upwards.

“The conversation has to be a dialogue, it has to be ‘OK, well if you don't do this then this might happen, are you prepared to accept that? If yes then fine, but you sign that risk off. If no, here’s what I recommend you achieve in terms of outcomes by tweaking your business process. If I can help you achieve those outcomes then please engage me and I will help you’, not ‘You must do this, this, this and this’.”

[CHA33M-SM54]

There are voices here which are much more business-centred than might have been expected in previous years. The practitioners were very clear that the business had to be able to make the decision based on their advice, but that as security professionals rather than operational managers they were neither qualified nor able to insist on their own choices. As above, the danger is that one’s position may be untenable if one’s advice becomes routinely ignored (or in network terms “ignorable”, i.e. not obligatory). As noted from literature, the question arises of whether risks can be accurately judged by non-specialists, and in absolute terms even by specialists.

“Social media is a typical example of that – I'm using Facebook because I like it, so I tend to over-weight the benefits that social media gives against the risk. This is a typical misperception of risk. Security professionals can be victims as well; imagine somebody who's not educated enough or doesn't know a lot of security, how easy it is. So security awareness I think is the first thing we need to look at before we create a baseline for security certifications.”

[EDU54E-CL11]

The discussion here appears to be in the realm of judgement rather than calculation. The job of

the security professional is seen to be that of two-fold translation. Firstly they must translate the business environment and its risk tolerance into a security policy, and secondly translate the threat in non-technical terms for management for contextual understanding. Whilst the practitioners therefore state that they are providing advice, clearly the rather loose connection between risk, occurrence and outcome allows (acknowledged) room for coercion through the famous “fear, uncertainty and doubt”.

Wishing not to “cry wolf” (and perhaps even putting cynicism aside and allowing a little non-parochial intent) the security manager is required to live in the business. For the management to trust the security function (and hence allow its OPP to be continually renewed), there must be a demonstration of understanding for business processes. That OPP is not absolute and the network rarely irreversible; with a balance of risks it may be that the security action can be bypassed if it itself is a risk to productivity. In non-ANT terms, security is in itself only a means to an end (the reduction of risk and hence loss); if it generates excessive loss (cost) itself then clearly it becomes self-defeating.

“Sitting in the ivory tower and throwing out diktats is something that's reduced the credibility of the security profession in the past, because the business doesn't run for the benefit of the security manager, the security manager runs for the benefit of the business!”

[CHA33M-SM54]

It may well be however that the security manager in addition to being unable to make silo-based decisions through lack of corporate power may be unqualified to do so for lack of impact data.

Just as management must understand their risk in context and thus require expert security input, the impact of a problem can similarly only be determined by the process owner who can put the unavailability or corruption of a system in its organisational context. Whilst ANT may suggest looking for a translation of one actor’s interests into action by others, this exchange is far more symbiotic; both sides of the risk-reward balance are weighed by their own expert contribution.

So much is not particularly controversial, however nonetheless the change is notable. There is evidence that the practitioners at least are moving towards this ideal and thus the situation is dynamic.

“I think in five years' time you're going to get much more commercially savvy security guys because actually all the [technology] is all in place and works. I think we're in a sort of transitional journey to a security world which understands business problems as opposed to understands technology problems.”

[FIN31E-AN72]

In particular, one change visible from the engagement with the user community and hence

seeing personally the impact of security decisions in context is the increased self-awareness with regards to what might be termed obstructive conservatism. From the data can be seen that security functions developed a reputation for saying “no” to requests and hence being perceived as blocking, to the point of users deliberately sidestepping security decisions to avoid being obstructed. But far more interesting is the language of self-awareness and intent to avoid this mistake in the future: a clear sign of change.

This is significant since changes towards business engagement require new sets of skills, not always matched by older courses taught by some of the less progressive computer science lecturers shaping the next generation of entrants. Rather than being selected or driven inside an organisation into a new area, these are often expert career technical security staff, sometimes with less experience of commercial practice.

Where then for the specialist adviser? The data from many of the practitioners suggests an outward-facing intermediary, who represents themselves as the OPP for advice which is needed to safeguard the data of the business. The government view was (reluctantly) more in line with the position of the less reactive universities, that security still belongs in practice to the realm of computing, but clearly not supportive of the status quo.

“And actually you see that today, when you talk to large organisations about their information risk they largely point at the CTO and the IT department and say, ‘That's their problem,’ and that's not the answer.”

[GOV01E-GV01]

It appears then that this change is happening within businesses and that there is an intrinsic lag between this reality of practice and the reactive mechanisms for teaching and monitoring it.