We are living in an increasingly evolving world. One of the aspects of this evolution is the permeation of technology into every aspect of our life. The technologies around us change continuously, with it changing the way we live, work and entertain ourslves.
Due to the advances in technology, the world has become an interconnected place; connecting people, cultures, communities and organisations. These connections are not just technological, but multidimensional. The demographics of technology users have changed, as has the purposes of using technology.
We create wired and wireless connections using static and mobile devices to initiate and maintain human and virtual connections across geographic, socio-cultural and generational boundaries. These connections allow us to communicate, share information, play, work respond to political situ`tions and be creative.
Unlike many other facets of human life, it is almost impossible to capture the current state when it comes to technology. This is because the current state of technology is transient. In such a transient state, proactive technology management in reality becomes a series of reactive responses to technology driven business practices. An analysis of how we manage technology shows us that we have not changed our approach to technology management.
We still seem to be evaluating and responding to problems based on yesterday’s experiences. The convergence of the professional and personal spaces has resulted in the development of many new technologies such as high reliance on the information and communications technologies. With the rapidly changing technology and its use, we are posed with the challenge of managing and securing the systems and information connected by the technology. The changing landscape of the information and communication technology space means that the traditional ways that we looked at managing information security are no longer valid. It poses a challenge of rethinking the way we plan our information security strategy.
A key development that seems to have gone unnoticed is that the shift of balance in technological knowledge. Previously, the technology department of an organisation was the masters of technology, and thus commandeered a position of power within the organisation, driving the business in the selection of technology and its use.
The end users had to rely on the technology department personnel to provide the technology and the know how to use it.
Today’s end user base is much more technology literate, and are more knowledgeable than technology department personnel not only in the technologies, but also in the use of these technologies in the business context. We now have businesses asking for technological features to enhance their business activity. Some users have invested in their own technology and want to use personally acquired technology within the business context.
Suddenly, the technology department is no longer driving the technology advancement of an organisation. Rapid changes to the technology landscape means also that they cannot keep their knowledge constantly updated. While they still may have more knowledge in configuring the traditional computer and networking technology, the rest of the organisation now has more knowledge about using technology in real life.
These advancements introduce new threats and risks to the technology landscape of an organisation. More people with access to technology that can be used in a multitude of ways mean that there are many more threat vectors that can impact on the organisation.
While traditional controls to managing technology threats and risks such as policies and procedures, authentication and access control, event logging and auditing and implementing management systems and compliance frameworks still have their use, we need to look at new ways to identify and manage technology related risks to an organisation.
Unfortunately, we seem not to have stopped to evaluate our approach to technology and related risk management. Collectively, we know very little about our current threat environment. This is evident from the fact that our technology management and information security programmes are no different from those that were in place in the past.
We are still talking about hackers, malware, technology failures and such as our threat sources. While, we do seem to understand that there are new types of threat vectors, we seem to interpret and address them through new types of old defences such as new types of old defences more and more compliance requirements, technological controls and awareness campaigns.
While these controls may provide a degree of assurance that are technological systems and processes are resilient to some extent, we need to develop new paradigms for managing technology and information security taking into account the differences between the organization and the individuals that make up the organisations. Some of the differences that need to be considered are –
- Organisational culture vs individual culture
- Organisational risk tolerance level vs end user’s risk tolerance level
- Organisational knowledge vs end user’s knowledge
- Organisational access to technology vs Individuals access to technology
Factors such as changing dynamics of technology and its usage also need to be evaluated when developing new paradigms for technology management.
Only when we gain an understanding of the actual technology landscape can we begin to formulate and implement a technology and information security management programme to address the continuous changes and challenges posed by the rapid advancement of technology and the technology related behavioural changes demonstrated by individuals.