By Peter Rietveld and Diederik Perk.
The longstanding adage says it best: Generals prepare to fight the last war. Business leaders cannot be faulted for having similar pitfalls when it comes to information security. The domain itself fails to chart its course, while it should aim to navigate towards real-time mapping of the threat spectrum, cost-effective business integration and automated decision-making feeds.
Information security has always been a difficult concept. In theory, we protect the information assets of our organization, however in reality we secure the hardware, systems and networks (poorly). Protecting all but the actual information assets means we live in the world of CompuSec, not InfoSec.
In practice, we secure the information systems we suppose to hold the sensitive data, as a definable trust zone. It is InfoSec-by-Proxy. And in general this is done by restricting access to the inroads to these systems, on the network perimeter. This is the concept of the security ‘choke point’, sitting between the trusted internal zone and the evil lurking outside. 
The common opinion within the InfoSec-world is that over the next decade, information security will need to turn its eye to information and its relative value, more than looking for a quick technological fix. What is overlooked is, however, is that in the same next decade the most relevant and current information on a given organization will be gleaned from Big Data, most of it in the public sphere. The resulting information security must therefore be modeled after national intelligence outfits and feed directly into business decisions. It can no longer be modeled after the IT support departments as is the custom today.
A short lapse into the past contrasts established information security practices against its future form. Securing any grouping of assets requires taking stock of the inventory, ideally followed by classification and labelling. In practice, the costs and efforts of classification and labelling are prohibitive. Even with the very limited amounts of data we had in the 1980s and 1990s, it proved a task too great and the benefits too intangible, let alone trying the same today.
With the Jericho manifest the thought leaders in Information Security acknowledged in the early years of this century that the network perimeter is no longer an effective ‘choke point’ where we can keep the bad guys ‘out’ and the goods ‘in’.  They coined the cumbersome term ‘deperimeterization’ for this. The lesson of Jericho has yet to be digested by most people involved in security, while new developments are already at the doorstep. 
Already we are seeing the next steps in dismantling the traditional notions of security. One in which impact will go beyond deperimeterization. The developments in Big Data and OSINT will- when combined- completely change what we have to do, and who we have to do it with. Information handling inside both the corporate and public domain, will closely integrate the operations of security and the marketing department.
First, consider the impact of Big Data. Leveraging the exponentially growing pool of data by means of data-mining offers a competitive advantage. For publically traded businesses within the EU, annual or half-yearly financial reports are the current standard. Many organizations are seeking to know where they stand on a real-time basis as opposed to on a long cycle. Aggregating the financials over a period of time gives insight in patterns of resource allocation, strategic direction and capability.
Savvy researches may use the same tools and skills to surmise the risk profile a competitor maintains, and leverage it for benchmarking purposes. Or beating the competition at its own game: as such Big Data is a disruptive technology. The advances on the semantic web underline the importance of moving along by opening up data in various ways, to enable more usability by machines adding and understanding its meaning and accessibility. On the horizon lies a point that public data may become more readily accessible than internal corporate data.
From a security perspective, Big Data raises questions on how to detect and mitigate spillage of corporate information into the public domain, be it by incomplete configurations at the hands of its own employees or by acts deemed harmless today. One could easily find out by using LinkedIn, for instance, to find out what type of security technology an organization uses and whether the staff is trained sufficiently. It is a challenging new dimension to social engineering attacks. As yet, current industry frameworks are still grappling to provide guidance on big data’s potential blowback effects.
Industrial multinationals playing in the major league have long moved towards elaborate all-source analysis feeding the conduct of regular business, active surveillance and even preemptive strikes, and now the rest of the players on the pitch are to follow suit. This development will deeply impact the world of InfoSec. Information security will take up the task of reconnaissance: analyzing what third parties may gather connecting to the organization. Overlooking it is at the peril of the enterprise, which as a consequence risks an information deficit.
Secondly, internal competition for budgets is driving a renewed search for synergy. Directing the tools to data-mine both internal as external documentation, will lead to increased interest and interference from the Chief Marketing Officer.
Already, IT budgets are being usurped by digital marketing needs. Knowing the customer by monitoring its actions, optimizing and controlling brand visibility and mitigating reputational damage is the exact purpose the marketing (and PR) branch serves.
When market competitors come snooping on our turf, security would like to be the first to browse through that report and seek out its intentions but it may be discovered by marketing tools. Conversely, having your security house in order is a major selling point in many sectors, which can be cultivated- discretely, no need to invite trouble- for promotional purposes.
It may come as a blessing in disguise when the gains sought from marketing expenditure are successfully aligned with business enabling security measures. They want to know the customer journey, the security department needs to know the competition’s journey.