The nature of the security game hasn’t changed much over the past 10 to 20 years. Sure, the tools and technologies, and the types of offensive and defensive strategies that are employed have changed, but we’re still challenged in many of the same ways that we’ve always been. We’re still engaging in a losing battle against an invisible enemy while trying to make the best possible use of what little human and financial capital we are granted to defend our information ecosystems; all while trying to advocate for more support, more money, and more people to do the job – despite a perceived lack of ‘tangible’ evidence that the work we do has any actual value.
If you’ve been tasked to take an active role in protecting your organization’s information assets, then you may have already experienced some of this for yourself. To make matters worse, we now live in a mobile, social, cloud-based world, where information exists in a completely untethered state and our existing information ecosystems are incapable of containing it. The complex systems that we work with just continue becoming more complex; as do the social and organizational cultures that influence (and constrain) our efforts to defend them. And, truthfully, no one really has a ‘silver bullet solution’ for how we handle this growing problem.
Rather than figuring out how to shift our current security paradigm, most of us are so busy, and so limited in the availability of finite resources, that we reach for the ‘easy’ answers, the ‘low-hanging fruit’; thinking that any action is better than no action. It’s not uncommon to turn towards the next latest and greatest technical security ‘solution’ offered by a favored vendor; especially when you consider the types of ‘promises’ being made. While the technologies required to limit the likelihood, breadth, and depth of a potential security incident are indeed essential to a holistic information security program; there are limits to the protective value that these technical controls can offer.
If it’s clear to us that a technology-centric approach isn’t the answer, then what is? Regulatory compliance certainly hasn’t addressed the issue – nor have any of the ‘best practices’ that are commonly held up as the way security should be done. In some cases, the compliance/best practice mindset so commonly adopted nowadays has actually distracted us from the things that matter most. Caught up in answering the question of “are we compliant?” we forget to ask the question “are we secure?” Even more importantly, we forget to ask the question “does my security program make sense for me?”
With our rampant adoption of commoditized security technologies, increased emphasis on compliance mandates, and continued use of outmoded ‘best practices’, somewhere along the way the importance of *context* has been lost. I’m not sure it’s possible to pinpoint the exact moment that everything began to shift, but more and more organizations these days are taking a ‘one-size-fits-all’ approach to the protection of their information assets; asking “what does everyone else do?” While it may be a fair question, it’s not the right question to be asking. Asking the right questions takes courage – the courage to challenge the status quo, and to focus on what works instead of what’s popular or convenient.
Over the next few months (during our ramp-up to fully operational status in July 2013*), SecureITExperts will be releasing a series of articles and papers on the topic of ‘Contextual Relevance’. The basic premise being that, for information security to function properly, it MUST take into account the unique organizational context that applies in any given situation. This fundamental concept is so crucial to the underlying fabric of a successful security program, that is pervades all aspects of the security function. While this isn’t necessarily a revolutionary idea – it’s most certainly an idea that’s received less attention than it should of late.
Amongst our many planned releases, we’ll be including detailed descriptions of how to incorporate contextual relevance into:
• Establishing the risk appetite of an organization
• Redefining how we measure and manage risks
• Building an overarching control framework
• Developing meaningful security policies
• Creating awareness and training plans
• Selecting appropriate technologies
• Dealing with incident response
• …and much more.
So be on the lookout for our first formal release later this month – and enjoy.
Thank you for your time and attention.
*Note: SecureITExperts remains under the legal limitations of a signed non-solicitation, non-compete agreement that will be expiring at the end of June 2013. These legal limitations prevent us from working with certain clients in the Washington, Oregon, and California regions. Please feel free to contact us at 425.877.0919 or e-mail us at email@example.com if you are interested in our services, but are unsure as to whether or not you might fall under the conditions of our current legal constraints.