Industry View

Information Security and the Importance of Context

Those entrusted with information security must raise their contextual awareness, say Ben Rothke and Benjamin Tomhave

By Ben Rothke & Benjamin Tomhave, BT Professional Services

August 29, 2008CSO — When the Transportation Security Administration (TSA) was first created, it created a sudden need for tens of thousands of screeners. Getting a job as an airport screener was a pretty easy process. It seemed as though if you had a pulse, you were in. Jump forward to 2008 and becoming a screener is a bit harder as the TSA has instituted background checks, has upped the educational requirement to include a high school diploma or GED, and added other significant requirements.

There is however, a much easier and quicker way to qualify a TSA screener; one that can qualify a candidate in less than a minute. Simply ask them the following question: What is the difference between Al-Qaeda and the Taliban. If they know the answer, they are hired. If they can't answer it, they clearly lack the contextual knowledge to perform their jobs.

Why is that such a critical question? As a screener, their job should be to keep the terrorists off the planes. If a screener knows the difference between Al-Qaeda and the Taliban, it shows they know the context of one of the many critical threats. If they don't know that crucial difference, all they can do is remove the bottles of liquid that violate the 3 ounce limitation.

Their lack of contextual awareness of the threats creates the mess that airport security is in today, where toddlers are pulled aside and the captain of the airplane is interrogated. What really needs to happen is for the TSA to develop a number of contextual questions, beyond the basic Al-Qaeda/Taliban question. Fortunately, there are thousands of such questions with which to work.

So, how do the issues relating to an absence of context informing TSA screening policies relate to information security? Far too many information security professionals also lack an analogous context: they don't know what true threats are facing their organization. They donâ¬"t know what to look for, where their data is, how to protect that data, and much more. That translates into masses of CIOs and CISOs buying security hardware and software and doing information security things, often in the name of information security, but not knowing why. Things get done in the name of information security, but ultimately, information security is not getting done.

For information security to mature, those entrusted with it must attain the required level of complete contextual awareness. The following 3 steps are required to achieve this contextual awareness:

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Solving Online Credit Fraud Using Device Reputation

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Configuration Assessment: Choosing the Right Solution

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

Rolling the dice with your security? Take the Self-Assessment Test now

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage