In the rapid scale of technology time, it's safe to say that we're no longer living in the world of your father's Internet. Of course, this has ramifications for Internet security: The rapid adoption of the mobile device as the primary interface for many users, the mass-scale outsourcing of infrastructure, services, and data to cloud providers, and the now-ubiquitous "Internet of Things" that forces a fundamental shift in how we think about connected devices all present new and different challenges for security professionals. This also means that the most fundamental element of security—the information security policy—needs to keep up with these changes. Unfortunately, in many enterprises, these policies are still stuck in 2005 rather than being the kind of guiding principles they need to be in 2014.
In some organizations—I would guess the minority—information security policies are dynamic, living documents that are frequently updated to reflect the realities of changing technologies and user behaviors. If you're in one of those organizations, congratulations; you'll likely find lots of validation of your policies in Mike Scheu's "Information Security Policy for Users (Not Auditors)" presentation at RSA 2014. But if you're in one of the many organizations that tends to view security policies as static relics that should only be altered in response to a regulatory mandate, or after there's a security breach that wasn't covered under an applicable policy or standard, then it's time to take those policies down from their pedestal, dust them off, and start rebuilding them to address modern threats.
So what are these new, modern threats? Well, let's start with the changing role of mobile devices. Until just a few years ago, smartphones, tablets, and similar devices were viewed as tangential technologies in the corporate enterprise. People used them only for a limited range of applications, and only periodically. Fast-forward to today, and mobile devices are rapidly becoming the primary user computing platform, replacing traditional desktop and laptop computers in droves. More importantly, due to the proliferation of apps, these devices are now being used for everything, not just email and texting. This creates a whole new world of threats that are rarely addressed through information security policies.
Another source of modern threats is the cloud. With the rapid adoption of the cloud for not only administrative services (like email) but back-of-house operations, organizations are simultaneously opening themselves up to additional threats: shared data environments in public clouds, reputational risk from other organizations in the same data centers, and more. These threats are rarely addressed in organizational information security policies today.
Yet another reason to update our policies is the "Internet of Things"—Internet-connected devices that go far beyond traditional computers: consumer appliances, measurement technologies, and more. Because these "things" in question can affect the real world (think about changing the temperature of an office via a "smart," Internet-connected thermostat), it introduces a whole new problem for security: it's no longer simply about protecting data. Now, it's also about protecting interfaces that can affect the physical environment. While policies are usually great when it comes to addressing information security, very few organizations have considered the ramifications of how the Internet of Things can affect their enterprise.
Of course, security policies are only the starting point: While they should represent the fundamental building block of a security program by providing a framework, they're not intended to be particularly prescriptive. Policies need to cascade down to other program guidance, driving both security standards and specific, detailed security procedures. It's a symbiotic relationship—but it is information security policy that should be in the driver's seat. Without ensuring that those policies address the entire range of threats and are kept up to date, the entire information security program will suffer.
It's time for us to update our policies from being relics of a former time to modern, dynamic, and flexible frameworks for managing information risks in the today's world. Without policies that are tightly coupled to modern security requirements, our security policies are at risk of becoming the equivalent of the Moai statues of security: monoliths of history.