A nexus of converging forces on the IT highway

Mobile, social, cloud and big data, each a disruptive force, together change everything related to protecting systems and information.
Traditional security technologies have limited applicability in these new environments.
Consider a case involving Sony Computer Entertainment America. Sony worked for years with law enforcement to prosecute the people behind targeted attacks on its online gaming infrastructure.
Prosecuting security attacks may not be easy, but it is possible for chief information security officers (Cisos) to help law enforcement build a criminal case. Sony played a central role in the FBI investigation of the attacks and in the prosecution of the attackers. Many companies have more information in their own networks that could help law enforcement catch and prosecute individual attackers than they might realise. The key is to know what information to capture and how to capture it so it can be useful to a legal case.
Sony's experience working with the FBI and US department of justice to arrest and convict the attackers exemplifies a number of best practices for helping to realise the benefits stated above.
Through its own internal investigations, Sony identified the online identities of several suspects and to work with internet service providers for confirmation. At this point Sony contacted the FBI, and was able to hand over an evidence package of 18 GB of data, including application, system and network logs; online chat records; and an index of key words and suspects' online nicknames. FBI investigators later described this as the first time they had a "prosecution-ready, turnkey investigation" handed over at an initial victim interview. Three suspects were quickly identified for further investigation by the FBI.
In early 2009, about five months after Sony turned over its initial evidence, the first suspect was interviewed, and computers and other materials were seized. The seized computers were analysed by the FBI in 2009, and Sony then aided forensics investigators by answering specific questions about how its own systems worked.
In 2010, the first suspect was arrested and charged with 15 felony counts. This led to a plea bargain, resulting in admission of guilt, fines and restitution. In 2012, the second suspect was arrested, and computers and other materials were seized. The case was ongoing this year.
Two major changes are facing risk and security teams. The first is that mobile, social and cloud move business data and processes outside of the perimeter, and outside of traditional enterprise control. The second is that these are dynamic environments with no stability or predictability. Managing appropriate levels of risk in this environment will require a new approach. Yesterday it was a new tablet; tomorrow some vice president will ask for email on his new Google Glass.
As a result of these new challenges, security and risk teams are resetting how they deliver value. Procurement teams are developing contracts that improve security agreements with cloud vendors, and security managers are improving data classification schemes to make sure that critical data is never in the cloud. Public cloud risks are being managed through better legal agreements, and by aligning data sensitivity with the risks inherent in cloud. Cloud providers themselves are also raising the bar.
Opening up to social media is forcing risk and security teams to understand how social works, and to develop capabilities in monitoring, data analysis, mitigation and remediation. Social also puts a focus on employee and customer behaviour.
Complexity will increase and force more changes to the way risk and security operate and deliver value to organisations. These trends will shape how people work and live.
Knowledge workers of the future will have all of their company, job, family and personal details in a virtual world that is available through any device or app. This will mix traditionally sensitive data with new types including reputation, pervasive video, sensor data, communications and any number of big data possibilities. Social networking, both personal and professional, will be integrated. People will have access anywhere and any time, so the definition of perimeter will evolve. Vast amounts of information will be collected and processed using the real-time application of constant and pervasive analytics.
Given that we know we are going to get compromised, we also have to accept the limitation of technology to protect us. Most executives get compromised by clicking on something innocent that leads to computer infection. In a nexus-driven world, people are empowered. Risk and security professionals can't take that away from them, but they can influence behaviour. Gartner is pioneering a technique we call "people centric security," or PCS, which is the integration of information security and the social sciences.
Non-IT executive interest in IT risk and security, particularly boards of directors, has been on the rise for more than five years. Gartner predicts that by 2014, 80 per cent of large global enterprises will be required to report risk and security posture to their board of directors at least annually. Our research shows that most existing board material addressing IT risk and security is not very productive.
Risk and security people in decision-making roles with authority must get better at understanding their own organisation's desired business outcomes. Five years ago, Gartner analysts sought an answer to the question "How do you add a business context to risk data?"
Most risk and security organisations are split between security operations and program management. The security operations manager primarily manages technology. The Ciso manages the program, with oversight responsibility and most of the decision authority. The operations manager works in IT - and, increasingly, the Ciso does not work in IT.
Risk and security departments are no longer the defenders of the organisation; they are the facilitators of a balance between protection and running the business.
Paul Proctor is the vice president at Gartner
Follow The National's Business section on Twitter