[IT is out to kill the business - Business is out to kill IT. We all win!]
My dad has essentially worked for 2 companies in his 50 or so years in business and had he not emigrated, he probably would have stayed at one. I worked at 2 companies in just my first 5 years of full time employ. And this is not strange. No one viewed me as unstable or a "job hunter". It is just the way it works.
"Knowledge workers" moving companies is not something new with the average length of service to one organisation being about 3 years. I've heard that this is tending toward 2 years or even 1 year. Where will this trend lead?
It was only when I started compiling my most recent CV that I realised just how busy I had been over the 4 years that I was employed at my previous employer. But I still managed to have spare time. It would have been amazing if I could have done what I was doing but for 2 companies at the same time with both paying me for the output. Or even better - doing half of what I was doing but for 3 companies with another person doing the other half for 4 companies. There is only so many ways an "ISO 27002 compatible Antivirus standard" can be written and only so many variables that can be manipulated. All companies need to patch and all need to do so in the same time period so an "ISO 27002, Cobit and ITIL compatible Patching Process" would be almost identical for all of them.
Good thinking Allen, but there is a word for this - "Contractor". Exactly. And my employer had many contractor. And Australian businesses seem to have many more. But my argument is that the trend toward using more contractors can actually get to the point where there are no permanent employees in a company.
I love the word "company". We are so used to using it that we never actually look at the word itself. "Corporation" is the same. A bunch of like minded people coming together to keep each other "company" and do something positive. So... lets explore that. A loosely joined "web" of people coming together and using technology to collaborate on a set of ideals. This sounds like a web-board. I haven't seen one yet but I could certainly label the idea of a "cloud company" as "plausible". Crowd sourcing an entire company including funders, workers, salespeople, delivery people, cleaners, security (the physical type...do we even need them if there are no premisses?), management, etc. And since everyone is a contractor, SLAs are important and everyone is measured. You don't need layers of management - you just need clear outcomes. If the whole thing falls apart then everyone just leaves. If it works then the whole process is repeated. There is no workplace and no work hours. There is no receptionist but there may be someone hired to communicate with the outside world and they would need to be available during office hours. (Or this could be outsourced and have a follow-the-sun communication plan) - imagine a company that is working 24 hours and that can be contacted at any time.
The interesting thing here is "who owns the intellectual property?" The general processes and procedures and "intellectual property" such as "patch management", "how the phone should be answered", "how is the product packed" and "how fast should it be delivered" could belong to the individual contractors. The IP that I am interested in is the "core IP". The recipe for the product, the design of the product, the trademarks etc.
So, using technology and IT, it is possible to have a company with no "company". No buildings, no desks, no "office hours", no front desk, lawn to mow, delivery vehicles, office. Just a technologically connected bunch of like minded people with a single outcome. The technology is available, we just to use it and companies have been dipping their toes into this slowly. This is something that doesn't happen overnight. But it is happening. One benefit is that the "employees" can work on a number of projects all at once. Or not. It is their choice but using facebook to waste time waiting for the end of the day is no longer an issue.
So... IT is out to kill Business.
Then we have the other trends which are mostly being driven from the non-IT part of the business. These are Cloud Computing, Consumerisation and BYOD. IT is brought in and asked to manage these but these are all areas where the IT department has had full control and has had to relinquish some of it so that Business can work with the tools that they want and using services that they are familiar with but without the red tape that IT can spin when delivering on an "enterprise ready" solution. Taking this further, is it possible that Cloud services could make it simple for Business to totally bypass IT altogether and put their own solutions together without bothering IT. This could include "I have a new employee in my team. Let me just hook him up with a mailbox and a fileshare" to "I need a way to track my sales staff" to "I need a way to report on the company financials." etc.
Where does that leave IT? Well, in quite an interesting position. There should probably be someone to manage the services even if they are "cloud" or "PaaS". This also leaves IT in the interesting place where they become advisers to Business and architects. "Did you know that you can use this service to monitor your staff? No? I'll just hook it up for you. They offer 30 days for free." etc
So IT ends up being forced to talk "solutions" to business rather than "tech talk" and gradually manages the IT systems outwards until there is no IT department but internal IT consultants offering solutions to business people who own their own IT solutions.
Both of these scenarios are not exclusive - they can both happen. And are happening. And, in fact, feed off each other. The less red tape that business needs to deal with - the quicker they can create flexibility and allow work to be done by contractors. Some companies will take longer to get to "a loosely bound group of like minded people working toward a goal" without the traditional company holding them together but it will come.
This may sound like fiction but ask anyone 50 years ago about whether they would trust someone who moves jobs every 2 years and they would find it difficult to do so. Now it is normal.
So, (you ask) where does this leave Information Security? And I was hopeing that you wouldn't have asked. It is not an easy thing to answer. This movement toward less central control will scatter the IT field (mainly) with concepts such as "Cloud", "PaaS", BYOD, "consumerisation". And IPv6 will just accelerate the change. In all of these cases we end up with less control and more freedom. But the controls don't go away. They just change. In fact, in some cases they get better. In some they get more complex and in some the controls that were important but were overlooked become essential.
The information security team really needs to get more of an understanding of the company and who owns which piece of the process from raw material to money in the bank. Who owns what information and what can be ignored and what is the essence of the organisation - the IP that is so specific that the company is defined by it.
Forget patches and antivirus patterns. Those can be outsourced. Information Security is about working with the company to know itself and how the essence of the company can be protected from those that will do it harm. And we need to do it quickly while the company is still an entity on its own.