The Three Faces of Information Security

Last week’s sessions at Infosecurity Europe reminded me of the difference between compliance and real security. They are quite distinct objectives.They are in fact two of the three faces of information security.

Compliance is where most of the current action lies. It dominates the work of the internal security function and justifies the budget for security. Compliance spending is incontestable and repeatable. It sails through Investment appraisal processes even when capital spending is pulled. Unfortunately, it’s all based on collections of ancient practices, with a heavy emphasis on documentation and audits. And if you don’t want to pay for security, you simply accept the risk. Your security might be completely ineffective but your paperwork will gain you full marks.      

Business enablement is the side of security that we present to management. The board and the business loves you when you tell them that security will enhance your reputation, gain sales, underpin new product and enable new ways of working. It sounds great but it’s no more than wishful thinking. Such a business case would never get past an investment appraisal board, nor would it be a sustainable source of future budget. But it makes you popular with directors and business managers. “This guy talks our language!”

Real security is the side of security that nobody wants to face. It’s expensive, difficult and disruptive. It’s about managing today’s risks, not fixing last year’s outstanding audit actions. It’s about cancelling dangerous projects, scrapping insecure systems and eliminating bad practices. It’s concerned with tackling advanced persistent threats and insecure SCADA systems that no one wishes to acknowledge. It means taking critical intellectual assets off the network, and telling your project managers to go back to the drawing board. It makes you unpopular, and potentially unemployable.

And this is why most organizations are sleepwalking into a future crisis.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

David, your comments are spot on. Employees who are serious about security are generally not too popular. There have to make tough decisions to really secure their data. Globalscape is an information security company. We offer secure file transfer options to companies and it's a daily struggle to get some to realize that even the encryption, etc, are vital. We'll see how information security changes as we see more and more high-profile security breaches.
I also visited the show last week. I was most disappointed that 99% of the stands were for things. Very few of the suppliers I saw were focusing on the people problem other than sa "the insider threat" Security Culture - wossat.....
A "real" Information Security solution must possess 4 key capabilities: (1.) The ability to continuously monitor multiple real-time data feeds, (2.) The ability to analyze complex events to gain insight into the data, (3.) The ability to graphically represent the results of that analysis as an easy-to-understand dashboard, and (4.) The ability to act on that insight using predefined rules. Operational Intelligence, a new type of data analytics solution, can provide such a comprehensive, fully-integrated Information Security solution.