The Future of Security With Respect To Distributed Content
By Roy D. Follendore III
Copyright (c) 2003 by RDFollendoreIII
January 26, 2003
Consensus is important to problem solving within the security domain. But the failure to have a diversity of thinking in the conduct and creation of decisions inevitably leads to problematic failures. Technical security also involves the recognition of social component. For the reasons discussed tonight, every solution taken in the name of security requires a careful consideration of divergent balance. Organizations dedicated to providing security have difficulty in maintaining the necessary degree of internal balance over time because of their nature and their internal political tendency toward higher centralized policies, efficiencies and controls. Technical security professionals need to understand this.
How To Organize Security Groups
Major corporations have been attempting to encourage group consensus while maintaining internal organizational balance through diversity in decision making. One way of doing this is a process of specifying explicit roles to encourage lateral thinking. The concept is called Six Thinking Hats. They way that it works is the group divides membership up in colors of thinking hat groups. The color of the hat represents the type of thinking that is expected from them. The members then work through colors rather than conventional role definitions, like "Administrator", "Manager" or "Director." Rules can be set to allow members the opportunity to change colored hats.
This may all sound silly exercise but that is actually not the case. Organizational performance is not about positions or roles. It is about the products arising from the discrimination of noise and the creation and dissemination of knowledge. This is an anonymous role representation process, with parallels to the way that organizations of technical people now work together within corporate chat sessions to create knowledge. The anonymity of position and therefore the obscuration of the origins of content prevents dominance and allows useful contributions to the group to be better recognized for what it is.
This is very much the way that work through secure content dissemination can be expected to be presented in the future. Technology has changed the range and degree of acquired data, information and knowledge that must be secured. The kinds of problems that now exist and that modern organizations must face are different today.
"Communication needs to be seen not as a process occurring between any sender of messages or any potential recipient, but in relation to the social system in which it occurs and the particular function it performs in that system." "The glorification of a full and free information flow is a healthy step forward in [solving and reducing] intraorganizational problems as well as in relations of an organization to larger social system[s]. It is, however, a gross oversimplification. Communication may reveal problems as well as eliminate them. A conflict in values, for example, may go unnoticed until communication is attempted. Communication may also have the effect, intended or unintended, of obscuring and confusing existing problems." (from The Social Psychology of Organizations" by Daniel Katz and Robert L. Kahn, Published by Wiley, pp. 223-229, 1966)
If we are to be able to appreciate the standing technical issues of security, then we must understand that the engineering problems we face come about as a result of our choices in the philosophical definitions limits and boundaries we place on the concept of security. The purpose of security is the protection of content, yet we choose to limit our concepts within security to that of connectivity and links. Denial of Data, Information and Knowledge should be just as important principles as the limited notion of Denial of Service. From a different perspective, the concept we are actually seeing is a Denial of Performance. The paradigm shift in the philosophy of security is away from connectivity and toward useful arrangements of content.
In terms of productivity, in the future there will be little use for a single physical file, site or server for obtaining knowledge. This is a part of the vision that I alluded to when I spoke about the ability of security to enhance the performance of organizations but we know that security solutions are capable of providing this degree of content control. We do not have this capability now within our security processes because our systems currently emulate the outdated physical organizational wiring diagrams.
Organizational diagrams have been thought to keep the connectivity rational but they have also held back potential organizational productivity through knowledge. The requirements for a new security philosophy becomes more apparent, the requirements for knowledge based organizations to rise to the surface of competitive challenges will also become apparent.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved