Sunday, April 27, 2008

Social Networking for Security

Ross Mayfield connects some fascinating threads on his blog where he is discussing "Secure what people do, because information doesn't do." Ross' thoughts leverage off some comments by JP Rangaswami and Andrew McAfee. In turn Ross has triggered me to connect a different set of dots....
Ross makes the connection that it is not the information per se, it is what someone does with the information. When you couple this with JP's idea that "Information is changing. And it is becoming more valuable to us all by becoming less valuable to any one of us."
If we are to re-think Information Security then this could turn some organization's security posture completely upside down. What do I mean by this? Let me explain.
In many organizations filtering and a need to know approach is taken to information control. This attempts to keep information under control. However, increasingly an organization needs to spread the information widely in order to function effectively. The complexity of managing security grows exponentially with the number of connections.
It strikes me that making information less controlled could lead to a reduction in the cost of  managing information security. However, this can only be done with a re-thinking of traffic filtering. If an organization wants to simplify information management then they should at the same time lower the barriers to the outside world and let their employees have access to all of the social tools that they use to be an effective knowledge worker. By doing this I am not encouraging anarchy. What an organization should do, to Ross' point, is mine the social network connections of their employees and understand the web of connections that exist. This knowledge can be used to map how information is used. Employees would have to understand that they have a greater responsibility in the management and use of information.
Knowledge workers are employed for what and who they know. Forward thinking organizations should recognize this and seek to leverage those connections for greater insight. The social web of connections can provide a valuable insight in to the use of an organization's information. 
If information wants to be free it will find a way to be free. So why don't we adopt a security posture that maps the Social Network in order to understand and track the flow of information through what people do with the information.