• United States



Exploring the Boundaries of Information Security

Oct 23, 20073 mins
Data and Information SecurityIT Leadership

I had a “discussion” recently with a peer regarding the reach of information security.  It is my contention that information security, as its name implies addresses the confidentiality, integrity, and availability of information.  Note here what was NOT mentioned… technology.  I firmly believe that information security spans well past protecting the computer and its contents.  Why shouldn’t our responsibility to protect information push past digital data?  If someone stores credit card numbers in a notebook (of the paper variety), should we turn a blind eye?  If your medical paperwork is left on the receptionists desk at the doctor’s office, who is responsible?

You and I as security professionals have a duty to see that INFORMATION is protected.  Yes, binary data is part of that, and quite a majority these days, but so are paper documents and any other media on which information is stored.  Protecting information is the foundation of what our profession is built upon.  The common perception that security is a technical problem is one that we have yet to overcome on a broad scale. Technology is a predominant aspect of the information security problem; there is no arguing that.   The globalization of the economy and our current state of “connectedness” makes technology move to the forefront of our security To Do list.  Unfortunately, many of us stop there.  You and I know that information is critical to the economic survival of our society.  You and I do a disservice when we don’t further ensure economic survival by protecting that information on which we depend.

The Department of Homeland Security has a number of infrastructure protection programs designed to help secure those assets critical to the operation of our government as well as ensuring our own health and safety.  I must say that many of us have not followed that good example.  You have seen it, one system administrator with no backup staff responsible for maintaining 50 or more servers.  We see that those servers are critical and we shore them up with every technical bell and whistle we can find.  What have we missed?  I know what you’re going to say, “information security doesn’t cover people”. 

You are wrong.  What about the knowledge that your system administrator has amassed over the years?  Is that not information?  Is that information not critical to the survival of your organization?  I’ll bet that information is not documented.  What happens if he quits?  Where has your information gone?  It certainly is no longer available to  you.  You and I must realize that in protecting information, not just technology, we need to think bigger.  Push past the paradigm of securing technology and work to build a culture that values information in any form.  You’ll have a much easier time convincing the big shots upstairs that your role is critical if they see you protecting an asset that has value to them.

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.