Dog Days: The Security Profession Grows Up

Since Sept. 11, 2001, security has become something of a frisky new puppy, gamboling in the worldwide limelight and garnering a lot of well-meaning attention (though perhaps not quite enough puppy chow, to judge from the wailing about underfunded mandates in both the public and private sectors). But timing is everything. Through its sad association with catastrophe, security has been made prominent in ways that were probably overdue.

And yet, while the now-intense focus itself is new, security has been quietly important for eons. For as long as computers have existed, their gifted custodians have fretted devotedly about the violability of the data the computers contained. Once networking came along (freaking out most of those same custodians), there quickly followed a wider and wider distribution of the networked data. As a result, the complexity of securing information while also guaranteeing appropriate access has inevitably grown massive. (Concurrently, physical security is increasingly powered by digital means, creating a circumstance in which the two technical infrastructures--and, sometimes, accountability and authority--are converging as a unified activity.)

Steadily, the tension between information-driven opportunity and the security risks of widespread information sharing has also grown. In theory, it would be possible to achieve nearly perfect safety through a process of wholesale disconnection from this inorganic though oddly lifelike grid. But the genie of information will never go back in the bottle. Every enterprise has acquired an addiction to more and better networked intelligence. Customers, employees, trading partners, alliance members--all of the many and varied stakeholders of every interconnected venture--rely on the free flow of information to make decisions, gather insight, share knowledge, market and sell, consummate transactions, monitor and adjust processes, regulate workflow and otherwise make stuff happen.

As the post-9/11 rallying cries have made clear, there will be no duck-and-cover when it comes to computer networks. The mandate of anyone concerned with security is to enable the ongoing pursuit of opportunities in the safest plausible context. That means that the knee-jerk reflex, attributed to many security practitioners, of simply saying “no” to risk is no longer acceptable--if it ever was. Security needs to be accomplished within a matrix of business realities. Risk is situational and must be weighed between the poles of what stands to be gained versus all that could, in the worst instance, be lost.

Consequently, among the skills to be most prized in security chieftains, political and managerial chops will ultimately overshadow technical expertise. Two of the feature stories in this premiere issue of CSO reflect the decisive importance of what is sometimes dismissively called “the soft stuff.” Both Daintry Duffy’s “Let’s Talk” and Sarah D. Scalet’s “The Human Touch” offer useful guidance in the fine art of playing well with others.

Applying the right solutions will become much more a matter of adroit negotiation and persuasion than of specifying some weird new black box that, in any case, may not perform nearly as magically as advertised. In the hope of playing well with our readers, we look forward to your reactions to this inaugural issue.