on Jan 12, 2015When I chose information security as my profession, it was a conscious decision. I felt compelled towards the technology and the fascinating challenge of securing a shifting, metamorphic ecosystem. When we think of the term “security”, in our technology context today, immediately we conjure up images of putting up walls, defenses and traps to keep the hackers, thieves and spies at bay. But given the harsh consequences, bordering on the catastrophic in some cases, of the security incidents today, I feel we need to re-think how we define security. I wrote in myhttps://blogs.rsa.com/ciavalue-ciso-imperative/last blog about adding “Value” to the Confidentiality, Integrity and Availability principles of information security. The more I think about it, I think we may need to redefine the term Security, in general, in our industry.
As a father and husband, my family’s security is always a consideration. However, I don’t just think of the locks on the doors and windows of our home. I factor in many other elements. I consider our financial future. Am I investing enough to ensure financial stability in the future? I consider our health. Are we going to the right doctors? I consider our emotional happiness, my children’s education, our values, and our ability to live long productive lives. My vision of my family’s security goes well beyond just their personal safety. It projects into the future. It is holistic. It isn’t just “defense against bad things”. My definition of the security of my family is protection of their immediate and long term well-being.
Working for RSA – the SECURITY division of EMC – I am constantly aware of some of the immediate (and I assert inaccurate) reactions to that label. Security in this age does NOT mean just defensive measures. To me, RSA, as the SECURITY division of EMC , is therefore chartered to help our customers protect their immediate and long term well-being. Just like considering more than locks on the doors of my home, this mandate goes well beyond traditional security concepts.
Is the business protecting its financial viability for the future against all threats? Some of the threats are absolutely related to the hackers, thieves and spies. Cyber-risk is top of mind for all companies now and the connection between the technology and the business has undeniably hardened. However, threats such as natural disasters, compliance failures, poor governance, fraud, and a host of others can impact this financial viability with equal violence.
Is the business making the right relationships – or managing the risks around the external parties that contribute to the company’s strategy? No company is an island today. Some business function, operational element or widget critical to the company’s success is outside its control. Managing relationships with vendors, service providers and business partners is essential to long term welfare.
Is the company fostering a risk aware culture and enabling their employees to make the right decisions? Just like concern around my family’s education and values, a secure organization means that the people, the first line of defense against many of today’s risks, understand the long term implications of their actions and make the right choices.
These elements of ‘security’ point to a broader, grander vision beyond the traditional boundaries of technology security. Within RSA, the addition of Governance, Risk and Compliance concepts on top of conventional protection strategies implemented through innovative technologies brings these extra, necessary elements to the mix. If today, business IS technology – regardless of the industry – we can no longer think in the same terms and differentiate between technology security and business security. Business security, like my family’s security, is beyond locks on doors.
There has been much prognostication on what 2015 holds. My proposal for you to consider is to explore a broader definition of security with your business stakeholders and engage in the discussion of the health and wellness of the company. Take security beyond its traditional boundaries. Go beyond the bits and the bytes. Factor in the full range of threats your organization faces. It cannot just rest on the few InfoSec resources within the company. We have seen what happens when the entire company - management included - has not engaged against digital threats. When you discuss Security (capital “S”), think of it as the protection of the immediate and long term well-being of the company.
This mindset elevates your conversation of IT security into the world of operational risk management connecting digital risks with the broader business risk. For more information on Operational Risk Management, see Gartner's latest report.
Wow very nice and to the point, this could go on my 2015 resolutions list. I like the way you approach security by thinking out of the box. I think that at the root of the problem, is the fact that in today's world security has not risen to it's rightful place, very often we think of it when something bad happens, as opposed to addressing it before something goes wrong. It has always been my though that security should be built-in to application, infrastructure and life it self from the very moment of inception. I am however, well aware of the fact that security is not cheap and often it can drive up the cost of putting something into production. The reality is, that if you build something without any security considerations, then you're asking for trouble. And yes I agree with you when you say that we should re-evaluate the confidentiality, integrity and availability security pillars to include value, since the value of your assets could determine how much resources should be leveraged to protect your assets.