The uses and appearances of information technology has changed dramatically over the last ten years. And the ten years prior to that, and the ten prior to that. It’s amazing to think that the devices most of us carry around in our pockets are more powerful than some desktops twenty years ago, and more powerful than rooms filled floor to ceiling with computer hardware forty years ago. The use cases have changed as well—so much so that we have monetized IT to the point where we cannot conduct business without it. Protecting our IT systems isn’t just a “nice to have” anymore, it’s required to protect the investments entrusted to us.

The Data Center, by Tu Holmes

Ten years ago phones were phones, and you had to be near a computer to check your email. Today it’s difficult to find a corporate citizen from middle management to executive that doesn’t have some kind of mobile access to corporate systems. The mobility demands, consumerization of IT, and thin computing have forced us to re-think how we architect our IT systems, and we need to re-think how that applies to information security. I remember spending time architecting IT systems fifteen years ago and focusing on processing power while dismissing the network layer (other than resilience) because the majority of people accessing these systems were doing so from modems. Now we have major US cellular carriers competing over the cost and speed of data services many times faster than modems could deliver back then.

Networks need intelligence just like systems do. The pipes we manage aren’t getting any smaller, and the amount of content we generate and then serve up cannot be contained. To further complicate things, we’re doing more on other people’s dollar—meaning most companies have some kind of cloud or virtual computing strategy—and the systems are no longer defined by their physical attributes and locations. We entrust much of our information to third parties (here is an excellent article about Skype in the enterprise), and their abstraction often further complicates attribute definition. Therefore, we can’t build security solely on those concepts, and we have to put more emphasis on the only commonality here—information.

As we re-architect IT to be more information centric over system and network centric, we have to think about securing the information independent of the processing and transport mechanism. That’s not to say that we have to ignore other things like link layer security and cloud or host security. In fact, those things will end up as standard parts of contracts before long. But we should be building security into the soft sides of the systems such that a minor oversight by some third party provider won’t impact your information.

Now’s the time to put off firefighting for a few hours and really think about how you serve users today, how that is changing from a few years ago, and proactively build security into the new architecture you will need to serve your enterprise. In fact, this might be the perfect time of year to do this since many of you are living in a network freeze until the middle of January.

This post originally appeared on