“Beauty is in the eye of the beholder…”
Well not an easy question to answer as you may think. It will mean different things to different people. If I ask Joe Bloggs on the street, they will probably say something along the lines of “it’s about keeping people out of computers – innit?” – Ugh. I’m constantly confused with some sort of glorified IT technician, if I’m asked my job title at a party (yes I do go to some!) and I mention information security I’m normally asked to help fix their printer/laptop/PC. Again Ugh.
I normally then have to explain that I “help organisations keep their information safe”, whether this be physical, human, IT, legally, paperbased or otherwise. And thats an interesting place to start. “Safe” for one organisation is not the same as “safe” for another. Security is a subjective thing.
Consider an organisation that is a top secret nuclear bunker against three men making furniture in a shed. Clearly they both have different needs to keep their information safe. The “3 men in a shed” will likely have the following as appropriate measures;
- Padlock on the door
- Fire extinguisher
- Somewhere else to work if it all goes wrong
Even the last two bullets here are questionable! We’d hope a top secret military installation would have a little more measures than this, motion detection, CCTV, high fences, guards, dogs, guns, multiple layers of protection, underground location etc etc… (still not mentioned a computer yet!)
So even here we can see security is a variable thing. It is entirely dependent on the risk posed and threats arrayed against the particular organisation, the nature of the organisation, and the particular nature of the information itself – its value, format, type, importance, consequence of loss etc. Of course naturally your response will vary dependant on the risks faced…
…Or that’s what you would think. In my experience a common bad practice in security management is treating all information equally, normally a consequence of ownership of information being left to the IT division rather than the “business”. Naturally IT departments will focus on networks and systems en entire, and not the data itself – therefore all data receives the same level of protection, without taking into account its value. Typically it will mean high sensitivity data does not receive enough security, and low sensitivity information receives too much seccurity(and therefore wasting money and resource).
We must also consider the information environment itself. Information does not exist on its own, just floating in the ether. It may be stored in a computer, on a bit of paper, cctv tape, removable media, inside peoples’ minds, over networks, spoken over the phone, is stored within buildings and software. In information security we often have to protect the whole environment in order to protect the information correctly. A good way of looking at “information asset classes” is as follows…
- The information and data itself
- Processes and working practices
- Software, hardware, systems and medium of storage/transport
- Physical facilities and locations
- Systems and services that allow facilities to operate (electricity/water/gas/lifts/telephony etc)
- People (not only the user, but cleaners, third parties, internet users etc etc)
- Intangibles (brand, legals, compliance, reputation, share price, media image)*
*An interesting note here is that the senior management are generally concerned with the final point on the list – which can often be the consequence of an information security breach – these are the assets you are really protecting!
Therefore the “IT centric” approach will not take into account the physical office environment, human factors, paper based records, legal requirements, working practices, remote working etc etc. This leaves a huge gap in the security regime, which has to be holistic to be in any way effective.
“The chain is only as strong as its weakest link…”
One of the greatest problems of information security, is the one of perceived ownership. IT will think the business owns information, the business will think it is IT. Rather than pointing fingers at each other we all need to step up and play our part. Only a joined up response will holistically protect information appropriately with all stakeholders helping to pursue a common goal, protecting information appropriately to its value.