I participated in the Security Leader RIO Congress 2017 as a speaker and panelist in April, which covered many interesting subjects and people with the purpose of thinking collectively about the dilemmas and gaps that permeate the routine of the CIOs and the other executives' nightmares.
At some point, after seeing the vision of different people representing different roles such as supplier, consumer or simply thinker, and still varying in breadth of vision from the most strategic top to the most operational base, I noticed evidence of a mismatch about what the roles, responsibilities, and real complexity imposed by current information security risk management really are.
Immediately I remembered the book based on an old Indian fable from 1931, named Seven Blind Mice. The fable describes the routine of seven blind mice deciding to go out, one by one, to check out what was the strange thing they found near the pond, each returning with a different response. The red mouse thought it was a pillar. The orange mouse exclaimed to be a fan. The blue mouse claimed to be a snake. The next three mice also came back, each with a different idea. Until the last mouse returned and realized that his perception did not resemble anything that the others had felt as well, he decided to coordinate the mess and collectively to hear each idea together to conclude that it was an elephant.
In this way I realized that the subject of information security being addressed throughout the day, lecture after lecture, debate after debate covered technical, tactical and strategic visions mixed by trends including appliances, tunneling, protocols, performance indexes, steganography, malware, zero day vulnerabilities, botnets, honeypot, deep web, BYOD, user behavior, rules for contracting cloud services, fear of the cloud, cloud types and cloud future - these are all legitimate views and purposes, but without seemingly being linked to a holistic, comprehensive view attacking the imminent problem: the liquid information of a liquid society, paraphrasing the concept established by Zygmunt Bauman.
This author determined a time marked by the flexibility that caused a certain fragility about our relationships about things or people. This liquid society is compared to water because this natural element has the potential to change its shape according to its container.
If we stop to reflect on the concept for a moment, establishing a connection analogous to the knowledge society and the power of information, we will see great similarity. The planet is totally interconnected by fast paths and at the ends of these tracks are electronic devices or simple information technology equipment, which already coexist in exponential growth with physical-electro-mechanical devices or simply equipment of operation technology.
IoT is shipping connectivity and processing power into just about anything after it has overcome the barriers of miniaturization, power capacity, and the limits of communication. Still at the ends of the same pathways, we have people. People who live socially, but who have their habits changed in relation to devices and information in a general way.
Devices that handle, store, transport and dispose of information will be everywhere. We will be able to interact with things, talk to them, ask them for information, dress them and even ingest them. We will live virtualization to the extreme. We will no longer know where the information will be, what it will be doing with it, how, where, when, or who, if we simply continue to adopt the same perimeter-based security mechanisms that have lasted for decades!
We need to assume the liquefaction of information: understand that there is no more boundary, time and space. We need to think about providing information about mechanisms of self-protection and self-management. Embark intelligence in the information itself so that, following rules defined by its owners regarding handling, storage, transportation and disposal, they themselves can decide where to go, how to go, with whom to go, when to go, or even when to remain confidential, entire and available.
Forget the concept that information acquires security by transferring trust in inter-locators, people, machines or systems. This border no longer exists. The world needs interoperability, virtualization, decentralization, the ability to operate in real time, modularity and service orientation. If we study the evolution of security concepts in the last 20 years, we will see exactly this movement of decentralization, from CPD to endpoint, as with banking services.
Security has come out of the super coffers, migrated to the bank branches, then to the value transports, to the ATMs and finally to the user's mobile device. One last step is still missing: security, which must reach the core of the information itself.