IT Security Strategy: Thinking Inside and Outside the Glass Box

As the chief security officer at Leo A Daly, a Omaha, Neb.-based architectural and engineering firm, I often describe IT security as a sealed glass box filled with a green liquid. The glass box represents the organization, and the green liquid represents all our different data types.

The box provides excellent transparency into the organization, and the green liquid can easily be seen and contained, but it’s still protected by the structure of the glass box. To me, this is a traditional approach to security: taking what is valuable and allowing it to be seen, but having very stringent controls in place to contain and regulate it.

The next step involves either allowing more of the liquid (data) into the box or controlling the process of extracting it from the box. Again, this process is generally administered via strict controls, which are similar to a series of pumps and pipes.

During these addition and extraction processes, the IT department usually spearheads the control of these pumps, determining who has access to which pump, which direction the liquid is flowing in, and what the flow rates of the pumps are. (See illustration.)

This process may have worked well in the past, but as employees, customers and the business as a whole require a more flexible environment for storing and accessing data, this glass-box approach begins to show its limitations. What happens if your box fills up? How easy is it to expand a sealed glass box? More importantly, what happens if your box is breached and your liquid—valuable corporate data—spills out? How do you know what information was leaked?