A Matter of Trust
A Matter of Trust There are four distinct promises that must be kept, or at least more nearly honored, if IT administrators are to regain the confidence of enterprise managers and if the private sector is to remain free to innovate.
Secure borders First is the promise of perimeter defensethe sense that there is some clear boundary between those who have authorized access to information and other assets and those who may well be invited guests but whose privileges are definitely in a subordinate class. This promise has been the goal, express or implied, of the vast majority of IT security effort and investment to date.
Adult supervision Second is the promise of internal controlthe clear allocation of privileges such as information access and modification in proportion to the needs of ones job. Here, there has been less success in defining goals and policies, let alone in reflecting them in actual technologies and IT practices. Enterprise IT builders may find it difficult to communicate the need to spend money and time defending the organization against itself, but the vast majority of serious but subtle threats are internalwhether they arise from accident or malicein even the best-run organization.
Neighborhood watch Third is the promise of community collaboration. Enterprise IT spans all 24 time zones; its best tool for responding to new threats, in time to prevent their devastating effect, is the capacity of the community to join in saying, "I dont know what that is, but I see it, tooand its not anything good."
In the public interest Fourth--and not to be despised, even if it is the weapon of last resortis the double-edged sword of government response. Inspired by the shock of Sept. 11, 2001, legislators are prepared to grant broad powers to executive agencies; those agencies are prepared to focus resources, and risk public discomfort with what may seem like breaches of personal liberty, in an atmosphere that says, "The risks are real; the harm is hypothetical."