It’s hard to believe that it's been 20 years since I got my first office-issued Blackberry. Or, it might be more accurate to say, I was rewarded with the Blackberry. When I was handed that device, it felt like I had finally made it in my career and was getting a rare badge of honor that came with that success. I'd proven my ability to the company, which also meant that I'd proven to IT that I could be trusted not to compromise this treasured, cutting-edge mobile device.
In retrospect, the Blackberry was hardly a powerful device. The lengths I had to go to to get one, though, were no joke. Back in 2000, internet access at work was a privilege, not a right. The IT team exercised meticulous control over everything from the provisioning of machines to what each person was allowed to do. People had to petition to be allowed to connect to the internet. Getting a laptop from which to login remotely via VPN was often a C-level perk or only available under the most dire circumstances – an illness, necessary remote IT support or an earthquake!
All-or-nothing Network Access
Looking back at how enterprise IT guarded and portioned out assets and access back then, it might sound a little like tyranny; but it generally wasn't. It was merely the product of a different relationship between technology, IT and end users than what we see today. Back then, stories of cybercriminals and data breaches were far from the public mind, so the average non-technical user's understanding of cybersecurity was limited.
The IT department's job was to make computers work and facilitate end users' jobs while, in the interest of maintaining scrupulous network security, limiting internet access at the level that the network management tools of the era allowed – often an all-or-nothing proposition. Either you were allowed to use it, or you weren't.
In that era of enterprise computing, the relationship between an IT team/chief information security officer (CISO) and an end user resembled something closer to the relationship a utility company has with a customer.
If you think about your gas, electricity or plumbing, you'll realize there's a whole range of things going on behind the scenes to safely and effectively deliver your utilities. Industrial plants and sanitation facilities, citywide and nationwide networks of infrastructure and even the wires and pipes in your home create a sophisticated system that secures the basic foundations of modern living.
But unless you work in one of those industries directly, you probably don't know much about these systems. Outside of DIYers who take on wiring and plumbing projects themselves, the great majority of your interaction with these service suppliers happens when you're getting set up or when something breaks.
So went the IT department in the old days. They gave you what you needed to let you do what you needed to, with no assumption that you'd understand the tech behind it and – often – that if you had enough access to mess something up, you probably would.
Now it's 2020. Rapid advancements in enterprise technology and equally significant shifts in how people interact with it in their everyday lives have meant a few different things. End users now have an unprecedented level of knowledge about how to use technology and, even if they don't have explicitly technical skills, are using numerous sophisticated devices to perform daily tasks at work and at home.
The technology itself, its potential and the way it is implemented has begun to diverge from its familiar on-premise incarnations. And perhaps paradoxically, at a time when it has never been more important for IT departments to ensure cybersecurity, the preceding factors have made it infinitely more challenging.
By looking at a new framework for understanding how end users relate to technology and to the IT department, and seeing where things go wrong when companies try to implement old-school thinking in the new world of cybersecurity, we'll have a better idea of what it this all means for the IT pros working to manage and secure infrastructure.
IT Then and Now: Our Era of Constant Change
It’s no secret that the era of a primarily passive end user is over. Here are just a few examples of the changes we've seen.
Software and Applications Use
Then: Office employees generally used the basic functions of a limited number of applications – a word processor, a spreadsheet program and maybe a database.
Now: Depending on the role, they might use apps hosted on the cloud – under the purview of their organization or outside of it – for everything from in-office communication to work-specific tasks.
Local Applications vs. In the Cloud
Then: People used work machines only for work, on applications installed directly on machines or on an internal server.
Now: People live a huge portion of their lives online, using personal devices for work matters and work devices for personal matters. They conduct a large portion of this on cloud-based apps that exist on a third party’s infrastructure (which is out in the ether, as far as the user is concerned).
Software Purchasing Process
Then: People with job-specific software needs, like designers, would install Adobe Photoshop or Illustrator on their machines after going through a long chain of forms and justifications to get the license.
Now: If they can’t get what they need quickly and easily, they circumvent work networks entirely.
On Site vs. Remote
Then: Oh and of course, all employees were in the office whenever they were doing their jobs.
Now: People work everywhere – you might be working remotely while reading this.
Things are only getting less centralized and more complicated. For example, people in more technical fields like software development can use Amazon Web Services (AWS) and infrastructure-as-code processes to create an atmosphere of continuous testing and integration of solutions. Weeks-long workflows that once required IT sign-off and support can now be done instantaneously.
So, what does this mean for the future of cybersecurity? Today’s IT department needs to operate less like a utility company and more like a consortium of city planners.
The IT Department: A New Paradigm For a New User
Today’s end users are active, like we are as citizens of our communities. When you need to go somewhere, you likely have options – you could drive, walk, take the train, take the bus, ride a bike, use a ride-share service. As an enterprise end user today, you similarly have a lot of options.
Building out and securing a network, then, emerges as setting up systems that allow end users to leverage their options in a way that best suits their needs – but doesn’t put them in harm’s way.
Municipalities are constantly doing this. They plan new roads to reduce traffic congestion. They change speed limits and re-architect turn lanes to improve safety. They build bike lanes to provide commuting alternatives. They launch pilot programs of other forms of personal transportation, like scooters, to see how they improve things. They determine emerging needs and demographic shifts and, on that basis, introduce new public transportation routes and make service more frequent. They test out new smart city technologies, like roads that light up when black ice is present, to address age-old dangers.
Using this model, IT departments can build out networks that empower rather than restrict. They can use data to understand where things could be better and implement new solutions accordingly.
Cybersecurity pros following this model treat cybersecurity as a living, breathing set of objectives adhered to on and offline and promote enlightened compliance from users rather than demanding they follow a set of rules to check a box. And they stay on top of the news, the threat intelligence and other developments in the field – to evaluate the real value of new cybersecurity solutions in their particular context before making an investment.
Today we call the technologies we implement in IT enabling technologies, so we should be thinking about the IT department as an "enabling department."
The Future of Cybersecurity
The old-school mindset – that the IT department exerts control and dispenses access on an as-needed basis – is still around, and it makes sense that it endures. For someone, like me, who has been in the industry for quite some time, it's completely reasonable to have concerns about doing what feels like throwing the doors open and letting people do whatever they want, no matter what disaster they might be setting the company up for.
Technology, after all, is moving fast. Perhaps ironically, cybersecurity threats are even more dangerous, and far more numerous, than back when it was IT’s prerogative to lock down everything.
But the truth is that in today’s enterprise computing environment, trying to exert undue control over things like access in the name of security – no matter how well-intentioned – can sometimes work at cross purposes with establishing that security.
Forcing employees to go in and out through VPNs with multiple logins only encourages them to find creative ways to circumvent the protocol; ways that can open up vulnerabilities IT isn't aware of.
Old-fashioned, protracted device checkout policies turn into practical impossibilities that everyone ends up ignoring.
While this paradigm shift makes it sound like we're living in a whole different technological world than we were 20 years ago, some things are strikingly similar to how they were in the formative days of enterprise computing.
Companies still struggle with understanding the following issues that appear profoundly simple:
- How many assets do they have?
- Where do they reside?
- Which applications are being used?
- Who is using them?
Patching endpoints remains the problem child of IT. This is made ever more onerous by the heterogeneity of environments and is exacerbated by cloud and mobile computing.
These are problems that, for all our advancements in capability, we should have tackled by now. Instead we have been piling on new complexities without first addressing these foundational issues – which continue to compromise our networks and render ever-more sensitive and critical data insecure.
There is hope, though, for the future of cybersecurity. With IT certifications, like those offered by CompTIA, we can finally reach a point where we’re building our IT and cybersecurity postures on a solid foundation. Rather than dressing up the same old problems in fancier clothes and continuing to trip over them, we can leverage technological advancements like cloud and mobile safely, securely and effectively – in ways we never imagined.
CompTIA: Setting the Standard in 2020
2020 promises to be another fascinating year in technology. More enterprises will undertake digital transformation efforts to streamline their operations. More small and medium-sized businesses (SMBs) will leverage new, cutting-edge tools to bring the ideas in their imaginations onto the screen and into the world. More hackers will find new ways to defraud, extort and infiltrate, and more cybersecurity pros will find ways to frustrate, diffuse and defeat their efforts.
More change is coming, but regardless of where the field goes or how it invariably surprises, CompTIA certifications will act as a bedrock to make sure that IT pros, no matter how long they have been at it, have the knowledge, talent and ability to handle the tasks at hand.
CompTIA certifications provide, from the entry-level up to the most technically sophisticated cybersecurity careers, benchmarks to confirm that the knowledge a certified IT pro holds is the knowledge that a cross-section of employers at all levels of the field demand. So, with a stable of CompTIA-certified IT pros, any new challenge will already look familiar and manageable.
As we continue on into 2020, we'll be exploring even further the new ways of thinking necessary for IT to keep pace in the new technological world, and how CompTIA's vendor-neutral certifications will continue to support that thinking. Happy New Year, and get ready!
Read about how CompTIA cybersecurity certifications get revised to meet the needs of today's cybersecurity pros.