The company perimeter – the technological corral that divides a business’s IT systems and information from the outside world – is changing rapidly from something solid through which nothing passes to something much more intangible.

For many of the Corporate IT Forum’s members – all enterprise-level users of IT – it makes little sense to talk about information being “inside” and “outside” the organisation at all. This, in turn, is shifting how security chiefs define information security and tackle security threats. Indeed, it is altering what it means to “control” and “defend the perimeter” altogether.

There are a number of interlinked causes behind this. There has been a revolution in the way people work and interact with information and the systems that store and deliver this information. People want to work more flexibly and businesses need them to be able to share information more rapidly between points anywhere in the world. Employees now access networks, systems and data through multiple mediums, often depending on how they work, where they work and when they work.

Added to this, companies understand the value of sharing information with trusted partners and third parties. It is becoming common practice to collaborate through multiple channels and across team, unit and geographical boundaries.

Web 2.0 tools and technologies – social networking, blogging etc – are ubiquitous in the home and leisure environment and pressure is increasingly being brought on businesses to adopt these new tools, too – which will open up the perimeter still further. Companies understand that some Web 2.0 tools are already considered mainstream for large portions of society. Today, security chiefs experience repeated requests for Web 2.0. technologies – most of which they prefer to deflect. Tomorrow, they will be required to provide them. The next generation of employees will expect to work with them as a matter of course – banning Web 2.0 use can only be a temporary option.

So what does all this mean for the security director? Where at one time their job was to control, lock down and protect the perimeter with “gates, guards and guns”, now their role is to manage IT and information security threats at an appropriate level within the broad range of approaches and solutions available depending on the risk or threat anticipated.

At the one end of the spectrum are the old-fashioned physical security risks, such as those caused by staff mistakenly or naively infecting corporate systems through plugging in MP3 players or USB sticks carrying viruses. While such threats must be taken seriously, they take place within a company’s perimeter and so can be largely controlled. At this end of the scale, mitigating such risk is about having the correct security technologies in place and the right policies enforced.

Somewhere towards the middle of spectrum, the picture becomes more murky and blurred and the security director’s job becomes more challenging. Here, the risks concern security of information and originate from people such as the senior manager who synchronises their personal BlackBerry with the company system or the director who carries around corporate information on their own laptop and sends texts to their work PC from their personal mobile – or vice versa.

Often such people work on a highly flexible basis, take advantage of hotspots or wireless access zones and carry round multiple devices with them – often enhanced with “exceptional” applications and high levels of functionality. They are also, very often, the most senior people within an organisation and the most likely to access and input the most sensitive company data and information.

Here, while the risks are clear, the solutions are less defined and will be unique to each situation. The parallel use of personal and corporate equipment makes security boundaries less clear and security chiefs must find the right mix of appropriate technology, improved processes and staff education – whatever is right for their particular business and their particular level of risk.

Moving to the far end of the spectrum – where corporate security as such cannot properly prevail – the risks involve the worker who, for example, joins a Facebook group and for the best of intentions identifies themselves as an employee of a certain organisation and engages with that group on their own PC, in their own time.

Operating beyond the perimeter and beyond any corporate control, these are the people who may be tricked into giving away sensitive information by cyber criminals, or who become – often without knowing it – visible brand ambassadors for their company. What they say online about a company – both bad and good – and how they conduct themselves can reflect on their employer.

The risks here are clearly of an entirely different order to those at the opposite extreme – indeed they are not traditional IT security threats at all. No technological fix will prevent them and a policy of “don’ts” will not stop them. Here, user education, guidance and raising staff awareness are key.

As technology becomes more embedded in people’s day to day lives and as the speed of business increases, company perimeters are likely to become increasingly open. Indeed many of our own members are, within the Forum, investigating how cloud computing and utility service delivery models could mean the loss of the traditional perimeter entirely – and assessing what the impact would be.

As the boundaries fall, the type of threats will change and security quick fixes or one-stop-shop solutions will be less viable to apply. Security chiefs will need to put in place a balance of training, policy and technology solutions to ensure both business systems and information are kept secure.