Industry View
It's the Information, Stupid
Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.
By Jason Stradley, BT Senior Security Consultant
Given the reality of our changed world, we as security practitioners must change along with it. We must extend our focus from the security of the infrastructure that houses the information to the security of the information itself. The primary mission of the security practitioner must be reconsidered to be successful.
The need to protect data and information
As an industry we have done a very good job of defining a secure infrastructure. While there are challenges in each enterprise when it comes to implementing and maintaining it, there is an excellent framework that every organization can work toward.
Even though the game is changing, many in the industry have continued to embrace the concept of a secure infrastructure and have tried to evolve it to fit the new security paradigm facing the industry. This evolution has consisted of trying to emulate the secure perimeter in a world where that perimeter is increasingly fluid and can change very quickly. The introduction of numerous portable devices and access methods create what might be described as a variable perimeter. This variable perimeter has been extremely difficult to define and even more so to implement, maintain and adapt with constant change that is more the norm than the exception in today's business climate. Add to this the ever-changing mix of customers, business partners and suppliers and the fact that at any given time an organization can have all of these relationships with another organization, leaves us with the inescapable conclusion that it is the information that needs protection, not just the infrastructure that houses and transports the information throughout its lifecycle.
When those of us who have been in the industry for many years came to this realization, some earlier than others, it was an epiphany to be sure. Once over the initial shock, a natural question for a security practitioner might be to ask "How in the world do I do that?"
Before we can develop an intelligent answer to the "how," we need to have a better definition of the "what" and the "where" in this new reality. Information leakage has been happening for years and is not a new issue. What is different now is that there are a lot more people seeking to acquire information through illegitimate means. There are a lot more methods by which this can be accomplished and there are more regulations requiring organizations take the proper steps to keep this information leakage under control. Lastly, there are an ever increasing array of penalties and consequences for those organizations unable to or unwilling to comply. These trends will continue, so it is in everyone's best interest, except of course "the bad guys", for the industry to evolve with the times and get in front of this issue sooner than later.
information security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
