What is “Information Security?”

December 11, 2008

Just what is information security as a profession? What is it that we’re doing?

Go read about information security, and you’ll read all about the three tenants of information security: confidentiality (ensure only those who should know the information can see the data), integrity (ensuring that data is correct), and availability (ensuring data is there when you want it). If you have those three things, you are secure! Is that, fundamentally, what security is?

Not really.

When I meet someone, I try to make my job sound as sexy as possible. I tell them “I keep my company’s network and data safe from foreign organized crime syndicates, hackers, viruses, and malicious insiders. You’ve probably bought a pair of jeans from us. I’m the guy keeping your credit card number out of the hands of anyone who might want to steal your identity!”

I am an information security professional! So I keep information secure, right?

Wrong.

Let’s look at what secure means. According to a dictionary, it means “free from danger or harm; safe.” So I keep my companies assets free from harm!

Wrong again. There are viruses. There is downtime. There is the occasional loss of data due to user mistakes.

Security is unattainable. Your assets, your data, even YOU are NEVER free from danger. Anyone who tells you otherwise is either a fool or a liar. Security professionals everywhere are pulling their hair out in frustration over this very thing all the time, probably right now! Corporate security programs are doomed to fail because security (freedom from danger) is their goal, their mission, their daily pursuit – and it isn’t possible.

As a profession, security is NOT about freedom from risk. It is about managing that risk. There will be loss. We are here to minimize that loss. Through people, process, and technology we are here to manage risk in a way that we make unacceptable losses as unlikely as possible, mitigate risk where possible, accept some amount of risk, and plan on what to do to minimize loss when an incident occurs.

Fundamentally, security is about risk management.

Leave a Reply

Your email address will not be published. Required fields are marked *

Where to Find Me

NoVa OWASP: April 11

By

The NoVa chapter of OWASP is meeting on 4/11. Topic: Impact of IPv6 On Your Applications.

Read more »

ISSA Meeting: February 21

By

NoVa ISSA Chapter Meeting! Topic: The Beauty of Surveillance.

Read more »

Security MBA: January 7

By

Come and enjoy some security news while drinking an icy cold refreshment.

Read more »

Lijit Search