By Hylton Stewart
The way things were
I think we can all agree that in the past the Information Security person has been the one voice in your organisation telling everyone what they cannot do, or implementing security measures that have been seen to be overly complex and time consuming. This has lead to InfoSec having the reputation of being a disabler, a business opportunity and growth blocker, and a major cause of inefficiency and conflict in most organisations.
An explanation was seldom given by the Information Security person, except to say that whatever the business is trying to do would cause too many security vulnerabilities. Even when an explanation was given, it was delivered in incomprehensible technical IT terms or without any apparent consideration for the business goals and objectives. There was very little time given over to consultative discussion with business relevant stakeholders when it came to Security.
To understand why Information Security has been this way in the past, a brief look at its origins and roots may be helpful.
In the beginning
Much of the foundation of Information Security originates, perhaps not surprisingly, in the military. One of the initial concepts developed by early InfoSec practitioners was the ‘CIA Triad’ (this stands for Confidentiality, Integrity, and Availability), which itself brings connotations of secrecy. This concept of CIA is still very much valid in Information Security today; as we will see in this series it is the application (and the application of the rest of the InfoSec discipline) that needs to change. Possibly the first study of ‘Information Security’ was performed by a task force established by ARPA (Advanced Research Projects Agency), to analyse and improve the security of the ARPANET – the forerunner to today’s Internet. At the time ARPANET was used to connect military and university computers together over a public telephone system, and up to this point almost no consideration was given to protecting the information on these systems.
What this has meant for Information Security
This military bias and technical history has led InfoSec to be mostly an IT focussed discipline, with strong roots in secrecy and dictatorial policies. Business and organisations have evolved dramatically, and the threats to businesses, individuals and their information, have also evolved at an ever increasing pace. Unfortunately while the technological skills of the Information Security community may be close to keeping up with the threat landscape, the understanding of business objectives and risk, and the flexibility of most InfoSec professionals still has a long way to go in being able to fully support driving business objectives and growth.
In the rest of this series I will look at how and why InfoSec needs to evolve and mature, and join the C-Suite if businesses are ever to be truly secure and able to pursue their objectives.
If you have any questions about the information security of your business, do get in touch with one of the experts at the Conosco Security Division: firstname.lastname@example.org