I just finished reading an excellent article by Ted DeZabala -- the national leader of Deloitte's Security & Privacy Services -- on Forbes.com titled, "Are You Focused On The Wrong Security Risks?" It poses several good questions about what organizations are doing to protect their corporate identity, employees and personal data. Ted raises some excellent points around the necessary procedures for how to protect your company, however I think there is a bigger picture worth addressing.
For companies that are knowledge leaders, the rise of mobile devices, new applications, social media and ubiquitous broadband are the foundation for the next wave of business management and employment change. Companies that adapt quickly and actively change the relationship between IT and end users will be better able to attract talent, execute new business models and evolve management capabilities to improve competitiveness. This is truly the first generation where employee technology is the most important and crucial business value.
It's in this context that organizations are rapidly driving change. IT is loosening its control over employee technology and letting a new generation of smartphones, tablets and employee-owned devices into the enterprise. As business drives these changes, IT end user policies and security procedures need to be broadly reevaluated.
In particular:
- As employee information becomes public on personal social networks companies need new security models to fight pretexting, targeted phishing attacks and other security threats. CIOs need to be absolutely sure that the identity of every person or device accessing company resources is legitimate. It's important to note that this threat can't be addressed by limiting work use of social media: even if these tools are banned, employees who put work information in their personal social media profiles or feeds create these same risks. You can view a copy of Dell's personal employee social media policy here.
The simple fact we may be forgetting is this: companies can no longer control security risks with internal policies that limit the use of devices, applications or data. As new risks continue to evolve, most organizations will need to architect security around an environment they don't fully control. Instead of fighting to control the ways in which we embrace technology, the only remaining choice for most CIOs is to adapt to it.