Have you ever noticed that if you stick 3 security professionals in a room you’ll get 3 different opinions?
That’s the first thing that popped into my head when I was asked to explain what security is to some colleagues.
What is Security
- Security is to protect against malice, error and mischief.
- It is ultimately a trade-off. To get some “security” you need to give up either money, time or convenience (personal freedoms); in order to feel or become secure.
- It is a function of “duty of care” that a business must provide.
OK the longer version – What is it?
Security is ultimately identifying and managing risks, most of which are based on fear (and to a lesser extent Uncertainty and Doubt – FUD) and is something every one of you think about and deal with everyday. From where you sit on a train to where you park your car to what street you walk down at night, you think about what could happen.
Enterprise Security attempts to put a formal framework around identifying these fears, remove the emotional baggage associated with FUD and arm those that have to make the decisions.
“But that’s not my experience.”
You might say “but that’s not my experience”. Technology Security, specifically in the Enterprise, has generally been approached in a piece-meal, or point solution, fashion for a very long time. The market has played with our emotional baggage and driven the FUD factor causing businesses to buy that one product that will bandaid/cover that potential flaw in that critical system whilst failing to address the root cause.
We know we need to have building, infrastructure, information and policy security as well as risk assessment with a bit of compliance thrown in the mix, but for a very long time they have been delivered by completely different areas from within the business; Facilities, IT, HR and Finance, cobbled together in a fashion where Security is almost an afterthought and where it will been seen by everyone as business prevention.
Today, as organisations have matured, Like IT services in general, Security is becoming considered an integral part of the business’ development.
A Relative term.
Remember when I asked “Have you ever noticed that if you stick 3 security professionals in a room you’ll get 3 different opinions?”
You need to remember that, for the most part, security is a relative term. Each person has a certain view on each topic e.g. I don’t like catching the train at night due to bad experiences, whereas my wife prefers to catch the train (over getting in a cab for instance – though the Australian Bureau of Statistics isn’t all that helpful when wanting to do that sort comparison).
Work related example:– How do you feel about sharing your passwords?– What about password sharing in manufacturing, warehousing or retail environment?– how would the managers of these staff view sharing of account details?– Now what about management when something like PCI comes into play?
Each component in a Business environment, or eco system, has different values to different people within an organisation, let alone between organisations.
Security within an Enterprise tries to take these disparate view points and consolidate into a formalised view addressing the various needs of the business, as well as key individuals, ideally removing as much FUD as humanly possible.
Where to take security today?
The idea is to take Security and turn it from a HAZMAT suit approach to an immune response. By that I mean to stop trying to wrap the business in a preventative/protective shield for the “just in case” or “worse case” and move to a more dynamic stance where you are able to cope with changes by applying business logic to any given situation.
There are a number of formal Security Architecture, Risk Management and Governance frameworks and methodologies (and to a lesser extend ontologies) out there to help like ISM, PSPF, SABSA, Zachman, COBIT, ISO/IEC 31000, ISO/IEC 27002, and TOGAF (OK the first two are Australian Government standards, but hey they fit the bill).
These play a role, of varying degrees, in overseeing the design and build of Business Systems which are;
- Free from fear;
- in safe hands;
- not likely to fail;
- safe from attack.
These all provide the formal framework for identifying the requirements and risks (fears) and work to remove the emotional baggage and apply some sense to how they are addressed, arming those that have to make the decisions.
There are a lot of great resources out there, both generic and specific to issues, they are but a Google search away.