To address today’s threats, companies require a high degree of convergent perspective, information expertise, and coordination between personnel and groups. Previously, companies could “make due” with a basic security controls such as firewalls, Intrusion Detection System (IDS), and anti-virus. Attempting to understand the threats facing an organization and analyzing risk was often an afterthought, as companies relied upon simple compliance matrices and lists of “best practices” to secure their environment. This is no longer sufficient to address the threats of 2013. A major mistake in information security implementation is what can be referred to as “security parallax.”
While the term parallax may be new to some readers, it is a concept with which all are familiar. Anyone who has used the phrase, “I can see your perspective,” is familiar with the concept of parallax. Parallax is an optical phenomenon that refers to the displacement or the difference in apparent direction of an object as seen from two different points not on a straight line with the object. In a very simple example, if two people are at different points in the same room that is furnished and looking at the same object, the perspective is different. It is possible that a table is visible to one person, yet hidden from the other. Even the same objects will appear differently to the two people in two different positions. In science, parallax is used for a number of purposes including the measurement of distances between distant objects such as stars or planets. Parallax can also create numerous challenges such as in long range marksmanship. In that context, parallax describes the condition in which the target object is not focused on the same focal plane as the reticle (crosshairs). Because they are not focused on the same plane, parallax creates an optical illusion in which the reticle only appears to be positioned on a target when it is actually slightly off target.
In business, and especially in information security, parallax can be used to describe a few conditions that are detrimental to the organization. As can be seen in the following example, parallax can exist between various stakeholders or groups. Several years ago I was meeting with a prospective client regarding their PCI compliance efforts. In talking with the client it became apparent that the company had some major challenges with their information security controls that were not directly related to PCI DSS, but that exposed the organization to significant risk. I politely informed the client that PCI DSS compliance was important, but they had more fundamental issues that needed to be addressed. After outlining the identified challenges, the CIO looked at me and, although agreeing, said apologetically, “The board wants us to focus on PCI compliance.”
This is an example of what can be described as parallax between the business and security groups. Parallax between groups occurs when the business and security groups do not share a common perspective on the threats facing the organization, thus creating differing focal planes. Business needs a convergence of vision to ensure that the corporate strategy is consistent and focused on the threats facing the organization, rather than simple adherence to a standard. It is not uncommon for one group to perceive the risk of non-compliance fines as the greatest risk because their perspective does not allow them to see the other risks.
Parallax has the same effect even within groups. If one were to ask two security consultants or engineers who work for the same company to describe the risks to that organization, the chances are better than not that you would receive two different answers. The divergent answers are due to the differences in education, experiences, skills, and other factors that result in varying perspectives on the same situation. In much the same way that business units should find a way to unite the vision within the group, it is important for information security groups to establish processes to consider each perspective and adjust the parallax to ensure the visions converge, allowing the stakeholders to focus on the same object and address the threats appropriately
Information security in 2013 requires a more focused approach than in previous years. Effective security management involves a coordinated effort of numerous stakeholders with differing view-points and perspectives. Companies need to identify a method to converge the perspectives in order to achieve a consistent method for quickly identifying and categorizing threats to the organization. The adaptability of the threats requires that organizations establish a process of continual evaluation and re-evaluation of the threats and the effectiveness of controls at countering those threats.