CIOs and CISOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by the latest techno-trends.
A double-sided painting by Wassily Kandinsky plays a prominent role in John Guare's play Six Degrees of Separation. One side, called "Chaos", is a vivid mix of colour; all splashes and slashes of paint. The flip side of the painting, titled "Control", is dour, geometric and restrained. The canvas is designed to be set at an angle and spun so that the viewer experiences it as a single work. In one scene, the painting's owner spins it for a guest, chanting, "Chaos, Control, Chaos, Control".
This mantra should feel familiar to CIOs; because it's a spin cycle they are all too frequently stuck in.
Technologies - particularly those marketed to the individual - are evolving rapidly and in unpredictable ways, which places CIOs and security executives in the uncomfortable position of trying to set controls on a constantly shifting and mutating target. Need an example? Then look no further than the new mobile phone in your hand (or the hands of the sales and marketing types in your organization), which has morphed into a multifunction device incorporating a PDA, camera and MP3 player.
The trickiest aspect of the problem is that many of these technologies are valuable business tools when used with the appropriate security controls. However, all too often, eager employees purchase, download or otherwise acquire these groovy gadgets and programs, and enthusiastically integrate them into their work environment, heedless of the holes they are punching in the company's security net.
Take Skype, the free, downloadable Internet telephony system that launched in August 2003. Skype users can make free phone calls to other computers all over the world. A great idea, right? Not if security is a high priority, because Skype encrypts all of its traffic and skirts firewalls. That's a bonus for users, but a nightmare for CIOs who can neither monitor nor stop the traffic. In the 51 days following Skype's launch, the company registered an impressive 1.5 million downloads and 100,000 simultaneous users. When programs like this catch on, they spread like dandelions in spring. At its one-year anniversary, Skype boasted approximately 9.5 million subscribers and 1.5 million users per day.
So how do CIOs and security heads kill the weeds without burning the grass? We took a look at four rowdy technologies: camera phones, portable data storage devices, wireless computing and the joint threat posed by peer-to-peer technologies (P2P) and Web-based services. They are well-meaning and widely used tools that can be office assets, but also can wreak havoc when used carelessly or maliciously. We sought the advice of security executives and other experts on the best steps to take to establish some control in the midst of the chaos.