Once you consider security in a historical perspective, it is easy to recognise that several security approaches evolved over time to protect information and IT against external and internal threats. And your security likely needs all of them.
- In the beginning, up to the eighties, security was merely an add-on. IT in business consisted out of stand-only systems, and terminal services enabled local and remote access. To protect IT, point solutions could be acquired, for instance, RACF or ACF2 acquired to protect data and systems at mainframes.
- In the nineties, IT became more connected, and it became normal to have an organisation-wide security control framework, during that period the Code of Practise for Information Security was established. This Code of Practise consisted of good practises that could be useful to secure any organisation. Nowadays, organisations more and more have their own IT control framework. Still, we live in a time that measuring compliance with such a framework is a learning experience.
- During the years zero, as computer networks became common, and Internet web sites started to be used for business purposes, IT infrastructures became more complex. At the same time, organisations became aware that 100% security is not achievable, and that risks are to be taken. So, based on the sensitivity of IT (Internet) services, security measures are selected, whilst accepting residual IT and therewith business risks.
- And we all learned. Consider the mind shift of the years ten: Once you really accept that preventive security measures are not sufficiently effective, you want to know if preventive security measures fail. Therefore, timely detection of a security violation, attack, or hack is wanted, followed by a swift response to handle an actual security incident.
- So far the past, and what is ahead in the twenties ? We know that IT-based attacks are here to stay, and that attacks come not just from script kiddies, but also from criminal organisations, and even from nation states. We are aware that the quality of security measures needs to constantly evolve, balancing business and IT risks with developing threats and vulnerabilities. Organisations should apply agility and velocity, to adapt to the reality of developing Values at Risk.
And what is your homework after learning about security in a historical perspective. Please do consider that ‘older corporates‘ have growing pains to timely move forward and to timely adopt new security perspectives. Many organisations are still in pain to learn about the reality of attack chains, about hackers gaining access to organisation’s networks, and exfiltrating data. These organisations do often not face reality too late. Please, cease the moment and move forward!
Also, newer (eCommerce) organisations can have homework, already being modern and be be highly agile. These newer organisations can have skipped some security stages, for instance have a need to improve their IT compliance framework, or implement security monitoring, to protect data and systems, and therewith support security hygiene.
Please do consider your homework for this week. Assess what is the security maturity of your organisation. Did you learn from all decennia of security developments. Please consider if you realised adequate security, taking into account your desired and current maturity for each of the five perspectives that we learned about.
Enjoy your homework!