What is the job of information security?

In one particular episode of Black Books – a great sitcom starring Bill Bailey and Dylan Moran – Fran starts a new job. After her first day in the office she reports back that “All I know about my job is that there are biscuits in the stationery cupboard!”

I think we’ve all had that sort of day where we’ve gone home and wondered exactly what it is that we do. This, I believe, is particularly common amongst information security professionals. The reason is because everyone seems to have a different perception of what the job is all about.

Take, for instance, Nitesh Dhanjani who says (quoted from Taosecurity) that the job of information security is to make it harder for people to do wrong things. That’s definately a better definition than the usual definitions stating that the job is to protect assets, mitigate risks blah blah blah…yes we know. Thank you very much. Mine’s black with one sugar please.

Personally, while I like Nitesh’s definition I think it’s wrong. The job of information security should be to make it easier for people to do the right things. But it isn’t. A lot of the time the job is to protect the organisation from people who do stupid or illegal things.

The job could also be simply stated as being to protect revenue. That’s a much more emotive approach to take. However, nobody will believe you because the screensaver on their desktop has just activated and they can’t find the piece of paper they wrote their password down on. So, in fact, in the eyes of the sales and marketing folk, you job is to prevent them from doing their jobs.

In reality the job is a balancing act between working to prioritise what can be done against what you would like to have done, what you have time to do, and what your management want you to do.

We shouldn’t get too hung up on it all though. In the words of the late, great, Harold Bennett – better known as The Young Mr. Grace in “Are you being served?“; You’re all doing very well….