Join me in a small exercise.
First, raise your right hand.
Now, lower your hand ONLY if all four of the following statements are true.
1. Your network has no physical points of presence. No wiring closets, no physical data center.
2. The data in your network does not represent any physical assets. No records used to track or manage inventory of supplies or goods.
3. None of the information in your network is also represented by a paper record anywhere in the possession of your company.
4. No human beings are able to access or alter the data in your network.
[Also in this special report on IP protection:]Brain drain: Protecting your company's intellectual propertyJason Clark: 4 keys to IP protection The in-depth guide to data destructionPatent trolls in our midst—what your general counsel is worried aboutBob Bragdon: SOPA, PIPA, Anonymous and IP
Excellent. Anyone able to lower their hand? No? So all of you have your hands still raised? I thought so.
Here is what it means if your hand is still raised:
You have to cooperate with other departments to secure your information!
They can't do their jobs unless they communicate with you. And you can't do your job unless you communicate with them.
I'm still hearing this question from time to time—on Twitter, at live events, in article comments—when we write about various broad issues: "But what does that have to do with network security?" It's the Network Security Isolationist school of thought.
In our February Special Report, we take a look at the many facets of securing intellectual property (IP)—via legal safeguards, timely data destruction, social engineering prevention and more. IP protection is a broad business goal and a perfect illustration of why isolationist thinking doesn't work in security. Network defenses are a critical part of the puzzle, but only one part.
The "What does that have to do with network security?" question is a weirdly anti-intellectual, incurious thing to ask for an industry with roots in exploration and tinkering and pattern-finding. More critically, it holds back the network security profession, making security people appear to be nonparticipants in the business. Ten years ago, this question was the norm. Five years ago, it was maybe a forgivable lapse. Now, it's just ridiculous.
Network security isolationism must die!
Or, expressed another way: Get your head out of your network!