What Security Shall Be

In a recent article in SC Magazine, Dan Raywood points to the critical change that is occurring in the Information Security market. He quotes Paul Simmonds, former CISO of AstraZeneca and board member of the Jericho Forum, as saying:

“The issue is on the move outside the perimeter, which is driven 100 per cent by business and the IT administrator is playing catch up, as is security”.


Simmonds suggests that the main challenge with Identity and Access Management is the difficulty if not impossibility of containing the identities within the perimeter as business drivers lead to a fragmentation of access routes and business channels.

To counter this, Simmonds recommends the separation of access management and identity management via the use of “claims based security.”

The merits of claims-based mechanisms can be discussed but, to begin with, it is important to focus on the two things that are being highlighted here and will be even more important in the immediate future: first, the perimeter is disappearing, or has disappeared altogether, and second, identities are fragmenting and access routes (even for company staff) are multiplying and changing in nature.

In essence: identity is fragmenting, thereby compounding the previously known “de-perimetrization” of IT environments. To address this it is essential to re-balance and re-focus security moving from the emphasis on Protection and Enforcement to Trust Definition and Trust Allocation. In terms of Risk it is essential to adopt perspectives geared towards Risk Taking and Risk Sharing.

Too many documents and statements coming from the consultancy business just repeat the language of risk avoidance and the criteria of “risk appetite”, as if we were permanently talking only to IT departments, which, as Simmonds says are only “catching up”.

A risk avoidance position does not convey the voice of the business leader or the risk taker.

A risk avoidance position can generate only a minimalistic investment curve, meaning that it will support an expedient solution to “get away with it”, to evade the consequences of the audit process, not aiming at expanding the business, growing the market or increasing the variety of users.

While we need to recognise the relevance of protective measures, it is wrong to centre the Security on Risk Management alone, even if the argument from the side of risk and compliance is prevalent among practitioners and analysts. This is only a fragment of the Security disciplines present and future.

When Security practitioners adopt the prevalent Risk avoidance and Trust enforcement perspective, they are just following the fears and the current misunderstanding that can be found in the market in respect to Security in general and I&AM in particular. Some experts compound the problem when they transport this emphasis to the Cloud.

In a way, Risk-focused advice is using exactly the same language used in the past around compliance, governance, attack-and-defence based security, and transporting it to modified circumstances. Why use the notions of “counter-attack” and “rapid response” as if all of Security depended on warfare scenarios and not on the transformation of Security as an enablement force?

On the traditional ground of Risk Avoidance and Trust Enforcement Security professionals become followers, not leaders.

My point is that we need to abandon the protection centred, techno-centric stance. Security is not an attack-defence position. In particular, Security is not primarily and not fundamentally about defence!

To progress from here we need to open up of the concepts of Security. This is reflected in my recent presentation at the Gartner I&AM Summit on March 10th 2010.

I suggested a framework to position Security as a set of disciplines to define, allocate and manage trust, not primarily, not fundamentally and not only as a bunch of “weapons” to “defeat” an “attack”.

The following diagram illustrates the correlations between Trust and Risk Management in the new framework:



For too long the Security disciplines have been dominated by a focus on Protection and Enforcement, anchored on the perspective of Risk Reduction and Trust Enforcement. In the future Security must adopt a new framework correlating Trust and Risk Management.