Despite all the words that could have been chosen for the letter “H”, here it stands for:
We use the word “holistic” semi-frequently in our industry, and there are several definitions. The two definitions I like best are both from the Cambridge Dictionary:
dealing with or treating the whole of something or someone and not just a part:
and the second, similar definition:
relating to the whole of something or to the total system instead of just to its parts
So then, a couple questions with respect to “holistic” and “information security”:
- What is the “whole” of information security?
- Why is the “whole” of information security important?
Let’s figure it out.
What is the “whole” of information security?
Ask an “expert”. Heck, ask ten! See what response(s) you get.
A simple definition of information security would help; however, a significant and often overlooked problem in our industry is that we still haven’t agreed on one. If you don’t believe me, and don’t want to ask an expert, Google “What is information security?“:
- “the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.“
- “Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or…“
- “Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.“
- “Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk…“
- “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.“
These are only the top five results. There are certain similarities; however, there are significant differences too. Only one of the definitions mentions risk, and even then it references “mitigating risks” versus managing them. I won’t dissect all the definitions here, but the point is, we don’t all agree. Just last week, I read an article from one of our industry experts who claimed that information security and cybersecurity are one in the same.
Ugh! This is us.
If we’re not confused enough ourselves, how do you think we’re viewed by people who don’t work in our field? You know, the ones who are ultimately responsible for information security in the organizations they lead?
Many of them, and some of us, believe information security is complex, overwhelming, and confusing. The default reaction for such things?
Let’s simplify, explain, and fit information security into organized boxes. Maybe this will help. In order to understand the “whole” of information security, we must first know what “information security” is. The definition:
Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).
We can slice and dice this thing into millions of parts, but this will get us into the weeds quickly and back to that overwhelming feeling. A trick that’s worked for me and my clients is to dissect the “whole” of information security, from the top. Start with the goal or purpose of information security and work our way down through to the minutiae.
The purpose of information security is risk management.
The purpose of information security is NOT compliance and it’s certainly NOT risk elimination (which is impossible). So, start there.
The three high-level functional areas of information security; Administrative, Physical, and Technical means (or controls). Add those next.
Notice the overlap?
Everything is in the context of risk management. Administrative controls govern how we do things, including our handling of physical and technical controls. There has to be overlap between physical and technical controls because it doesn’t matter how well a server is configured when someone steals it.
From here, plug in all the other stuff. Again, fight the urge to dig in the weeds at this point. We can debate details for days (they vary from organization to organization anyway), but this is a good structure for holistic information security.
The most important points for holistic information security are understanding:
- This is about risk management. (NOTE: Risk mitigation, referenced in one of the cited definitions earlier, is a risk decision as part of risk management. Some risks are completely acceptable as-is, and don’t require mitigation.)
- Administrative controls rule the others. Computers only do what we tell them to do. Tell them to do bad stuff, and they will. Tell them to be configured poorly, and they will.
- Information security isn’t an IT issue, clearly.
So, who cares?
Why is the “whole” of information security important?
We can’t fully realize the benefits of information security without understanding and treating the “whole” of information security. We sell ourselves, and the organizations we serve, short. Two important things come to mind almost immediately; we don’t realize the benefits and we don’t live in reality.
Treating the “whole” of information security better protects us from being blindsided by something we didn’t account for. You’ve probably heard the saying, “your security is only as good as your weakest link“? It’s been said thousands of times by people a lot smarter than me; here’s just a few:
That does it for “H”, now on to “I”.