What is the job of information security?

In one particular episode of Black Books – a great sitcom starring Bill Bailey and Dylan Moran – Fran starts a new job. After her first day in the office she reports back that “All I know about my job is that there are biscuits in the stationery cupboard!”

I think we’ve all had that sort of day where we’ve gone home and wondered exactly what it is that we do. This, I believe, is particularly common amongst information security professionals. The reason is because everyone seems to have a different perception of what the job is all about.

Take, for instance, Nitesh Dhanjani who says (quoted from Taosecurity) that the job of information security is to make it harder for people to do wrong things. That’s definately a better definition than the usual definitions stating that the job is to protect assets, mitigate risks blah blah blah…yes we know. Thank you very much. Mine’s black with one sugar please.

Personally, while I like Nitesh’s definition I think it’s wrong. The job of information security should be to make it easier for people to do the right things. But it isn’t. A lot of the time the job is to protect the organisation from people who do stupid or illegal things.

The job could also be simply stated as being to protect revenue. That’s a much more emotive approach to take. However, nobody will believe you because the screensaver on their desktop has just activated and they can’t find the piece of paper they wrote their password down on. So, in fact, in the eyes of the sales and marketing folk, you job is to prevent them from doing their jobs.

In reality the job is a balancing act between working to prioritise what can be done against what you would like to have done, what you have time to do, and what your management want you to do.

We shouldn’t get too hung up on it all though. In the words of the late, great, Harold Bennett – better known as The Young Mr. Grace in “Are you being served?“; You’re all doing very well….

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I'd say that the goal of implementing Information Security is to prevent people from doing the Wrong Thing(tm). Like many goals, it's unachievable in it's entirety, but it guides your efforts. As many, many people point out, information security isn't, however, an endpoint, it's a process, or a tao, in the true meaning of the word. You can't buy it, but you can operate by it. The problem comes when, as you mention, day-to-day operations comes in the way of securely conducting business. In an ideal world, you would change the way that you conduct your day-to-day business and there wouldn't be any pushback, but this is not the real world, and sometimes the work flow that people are accustomed to doesn't lend itself to secure processes. It's a best-effort sort of thing, and you should continually push to improve your efforts.
Totally agree Matt. However, it's those day to day operations that pay the bills so we've got to make sure that our process fit those rather than the other way around.
You're right, it's always a compromise. Much like the ideal gas law, the ideal security policy has no perfect counterpart in real life. I think it boils down to the necessary security of that you're protecting. Recipe databases need less protection than financial data.