Information Security Management : A Wake Up Call !

A great article by Thomas Kendra (Symantec) posted in the Financial Times, Digital Business, Personal View (Dec. 5, 2007) urging for the need to adopt a “fresh approach” to information security management given the new challenges posed by our modern organizational structures. These now involve increasing interorganizational processes, insider threats and ubiquitous computing infrastructures. Obviously, this is “music to my ears” given my research interests in Enterprise DRM and Digital Policy Management (DPM).
Basically the whole point addresses the issue of how to go beyond current security approaches which are now insufficient and consequently fail given these new challenges. Or in other words, how do we address the current weakest link of information security basically boiling down to People and Mobility. And as we all know, security is only as good as its weakest link.

So, despite the “YouNameIt++ frenzy” (trend consisting of giving and incrementing version numbers to reflect the next generation of challenges in a topic, e.g., Web 2.0, Web 3, Identity 2.0, etc.) he calls for “Security 2.0” saying it builds on traditional security (Security 1.0) adding protection at the level of the information itself and the interactions.

Interestingly, Enterprise DRM is currently one of the possible technologies used in the corporate environment to address some of these issues trying to persistently protect and manage content no matter where it resides (i.e., including outside traditional corporate perimeters). As a result, this brings the granularity of the protection down to the individual information level by cryptographically associating governing rules to the content. Moreover, given the criticality of the managed content it is also possible to dynamically adapt those rules in real time thus allowing to basically “recall” content if needed.

Our environment cannot rely anymore only on perimeter based security, Access Control, and secure communication channels. We’ve passed the point of no return and need to address information security in a way that accommodates current and future business practices.

Two problems arise here : First Interoperability and the lack of standards in the field of Enterprise DRM. We cannot rely on vendor specific proprietary solutions. Second, most deployed solutions today address specific needs in siloed approaches (e.g., SOX, Based II, HIPPA, IP protection, etc.). As a result, the field needs to take a step back and rethink the whole problem at a higher abstraction level in terms of Policies and how they are managed. Some of which may be electronically instrumented through technical means (e.g., Enterprise DRM). This is Digital Policy Management, an emerging and very important research area I’m working on. I have setup a page for this in order to generate and stimulate discussion on these issues here: The Digital Policy Management (DPM) Page. Everyone is welcome to join the conversation (practitioners and researchers) on all aspects of the problem (engineering, management, legal, social, ethical, behavioral, etc.)

Source :, Dec. 5, 2007, New Threats call for a fresh approach, Personal View by Tom Kendra,



Do we need to take a step back and rethink IT research ? Services Sciences may be part of the answer…

Interesting comments from Tim Berners-Lee reported in the Financial Times today about how the IT industry is dangerously engaged in short-term views and is consequently missing out on major potential risks and opportunities in our increasingly networked society and economies. Particularly emphasized is “the [current] lack of support for long-term research” which prevailed in the past in labs of major technology companies (such as AT&T, Xerox, IBM, etc.) and contributed to significant advances in the field. Nowadays, the tendency appears to be product driven over a period of 18 months rather than, as quoted : “here are some really big problems, go away and think about them, take some risks, come back with some ideas we don’t believe – the sort of things that triggered big advances in the past.

Also noted is the necessity for research on the future of the Web to “draw on experts from a mix of backgrounds, including technologists, economists, psychologists and sociologists.” in order to rethink Web interaction, organizing society and maybe replace existing forms of democracy.

I couldn’t agree more. In my opinion this goes far beyond industry research. This is also valid in the academic environment where some IT related disciplines such as MIS and IS are facing growing concerns with dramatic drop in enrolment. We need to take a step back and rethink our disciplines in ways that integrate the ever increasing dimensions of our societies. Of particular interest here, is the emergence of Services Sciences as a discipline drawing form disciplines too often isolated such as computer science, operations research, industrial engineering, business strategy, management sciences, social and cognitive sciences, and legal sciences. IBM has been instrumental in this direction which they now brand under the title of : Services Sciences, Management and Engineering (SSME).

Predictions are hard to make. However my “gut feeling” definitely includes evolution towards interdisciplinary research in our field to address the challenging issues of our networked economies and the growing pervasiveness of our “read-write” societies (borrowed from Lawrence Lessig, great talk at Linuxworld 2006 and TED Talk March 2007), but this is another story…

Source :, Dec. 6, 2007, Web founder warns of short-termism, Richard Waters and Kevin Allison,