E is for Everyone

There are lots of relevant information security words that start with “E”, but I’m going with “Everyone”.

Why?

Three primary reasons:

  1. Information security (good or bad) affects everyone.
  2. Everyone has a role in information security.
  3. If everyone has a role, then everyone must have responsibilities.

There’s a saying I often use:

Information security isn’t about information or security as much as it is about people.

Two important points from this statement:

  1. People suffer when things go bad. If nobody suffered, nobody would care.
  2. People are riskier than technology. Technology only does what we tell it to (for now).

Let’s apply these points to our reasons why “E” is for everyone.

People Suffer

When bad things happen, people suffer. Doesn’t matter if we call the “bad thing” a data breach, a ransomware attack, a phish, business email compromise, or whatever. All bad things related to information security affect real human beings, either directly or indirectly.

Some quick examples:

  • Ransomware attack (poorly prepared) – A ransomware attack hits an organization. The organization isn’t well prepared for it, meaning they didn’t adequately backup their data or adequately protect their backups. The organization has no hope of recovery without negotiating with the attackers and paying the ransom. No worries, “it’s covered by insurance”, a common reply. People suffer:
    • The organization suffered an outage, even if minimal, it’s an outage. Outages mean lost services to customers and lost revenue for the organization. Customers suffer and so do the organization’s stakeholders (owners, investors, employees, etc.).
    • The insurance company suffered the claim loss. This might seem insignificant, but insurance companies are not in the business of losing money. They will raise premiums across the board if necessary to recoup losses. “In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%,” Coalition (one of the largest providers of cyber insurance services in North America). Insurance company stakeholders suffer (even if temporarily), and we all suffer through higher insurance premiums.
    • Paying an attacker a ransom, leads to their re-investment in better and more frequent attacks. We all suffer. Everyone suffers, and worse, the cycle continues.
  • Business email compromise – An organization suffers a business email compromise that leads to $800K loss; stolen money through unauthorized ACH transfers. This resulted in a loss for the organization, its customers, and its stakeholders. They all suffered. This attack resulted in $800K that could no longer be spent on good things; things like expansion, employee benefits, employee salaries, etc.
  • Data breach – A hospital gets hit with ransomware, but this variant also exfiltrated protected health information (PHI). The hospital didn’t properly protect itself, and certainly didn’t protect the patients well. The hospital suffered a significant outage, affecting services for patients when they’re needed most. To make matters worse, all patients who were affected by the lost information are now dealing with significant anxiety and safety issues.
    • Anxiety from knowing their private information is in the hands of someone they don’t trust. Contributing to the anxiety is not knowing when/if their information has been used by criminals or how to fix the problem if it did.
    • When a criminal uses stolen PHI to get treatment, their health information becomes mixed with/added to the victim’s. If the criminal gets treatment for a condition using a victim’s medical record/insurance, the criminal’s treatment is now on the victim’s medical record. The next time the victim gets treatment (legitimately), he/she will be treated as though he/she has the criminal’s condition, leading to potential faulty life/death decisions made by doctors
    • Victims are also faced with medical bills that aren’t theirs. If you’ve dealt with medical bills before, you know how this feels.

The list could go on, but you get the point. These scenarios are based on real stories. Reality, NOT fantasy.

Information security (good or bad) affects EVERYONE.

At Home

At home the problem is more direct, but less understood. Attackers have always gone after people at home. Since the first home PCs were connected to the Internet, they’ve been under attack. If we think attackers have relented, we’re foolish.

The problems at home are less understood for a couple reasons:

  1. The consumer market has been grossly underserved. This market is underserved because consumer information security is more difficult to monetize. This market is very easy to monetize for cool blinky lights, personal assistants, “smart” homes, etc. It’s a pain in the ass to monetize for information security.
  2. Personal attacks, or attacks at home, don’t grab the headlines like organizational attacks do. People aren’t paying attention (as much); however, this might be changing with the explosion in remote working or “work from home”.

At home, your information security and safety are your responsibility. Not mine. Not the government’s. Yours. Sadly, an attack aimed at you or your children is yours to bear, sometimes alone.

People Are Riskier

Riskier how? In terms of being riskier than the technology or in terms of being riskier than they were before?

Yes. Both.

Technology only does what we tell it to do. Tell it to do bad things (on purpose or on accident), and the technology does bad things. Tell it to do good things, and you guessed it, technology will do good things. It’s not technology that’s bad as much as it’s the behavior of technology makers and consumers that can make it bad. Technology makers are incented to get the product (hardware and/or software) into consumers’ hands as quickly and cost-efficiently as possible, NOT as securely as possible. Information security is up to you then. If you don’t know how to secure the product or technology, then you will suffer the consequences.

Technology makers need to be incented to make things more secure, not punished for making things insecure.

Consumers need to learn better information security habits to reduce their risk within their area of influence; in communities, at work, and especially at home.

EVERYONE has a role in information security. What’s yours?

Roles

In simple terms, there are information owners, custodians, and users. In reality, this is where the break down starts. Most people have no clue what their role is. If you don’t know your role, you don’t stand a chance in understanding your responsibilities.

Information Owners

These are people who are directly affected by the loss of confidentiality, accuracy (or integrity), and/or availability of their information. They “own” the information, and it’s theirs.

Examples:

  • My health record is mine.
  • My financial account information is mine.
  • My Social Security Number is mine.
  • My private conversations are mine.
  • My private emails are mine.
  • My credentials for accessing accounts are mine.

I am the information owner. At times, I’m the information owner for people I’m responsible for too, like members of my family.

Information Custodian

These are organizations and people who have been delegated the responsibility of protecting information from the information owner.

Examples:

  • The hospital is a custodian of my health record.
  • The bank is a custodian of my financial account information.
  • The school, employer, bank, credit agency, etc. is custodian of my Social Security Number.
  • The phone carrier (or whoever else I might be using for private conversations) is the custodian of my private conversation.
  • The email provider (personal and work) is the custodian of my private emails.
  • The password manager program (please tell me you use one), and everyone I authenticate with, is the custodian of my credentials for accessing accounts.
Information Users

These are people who use the information in a manner approved by the information owner through the information custodian.

Organizations Are Not Data Owners

Organizations do not “own” our information. Organizations are custodians and users of our information.

Organizations do NOT “own” any information except what they’ve created.

Organizations act like “owners” of our information, but they’re not. If they want to be, then they’ll need to accept the consequences of misuse instead of pushing the consequences onto the real owners (you and me). Organizations act like owners of our information when they make risk decisions on our behalf without our approval. Truly, if more people knew how some (maybe most) organizations protected our information, I’m pretty sure some of us would stop doing business with them.

Responsibilities

Each role has specific responsibilities, but this is where things get even messier.

Information Owner

Information owners must inform/declare to information custodians what’s acceptable and what’s not with respect to protecting their information. Once this has been defined, it’s also the owner’s responsibility to hold the custodian accountable.

The problem

Most people have no idea that they are an information owner or what it means to be an owner. For those who do understand the role, many feel powerless to do anything with it. We have a long ways to go in empowering information owners; to delegate information security responsibilities effectively and simply to data custodians. We’ve tried going down this route, sort of, with compliance mandates, but our compliance initiatives are far behind the times and largely ineffective. Much work to be done here.

Information Custodian

Information custodians protect information according to what’s been delegated by the information owner. If nothing has been delegated (explicitly), custodians are left to their own devices. Some custodians treat our information with extreme care while others could care less. If we’re frustrated by how organizations are protecting our information, maybe we need to back up and look at our responsibilities (as information owners) and create solutions that will allow us to become empowered.

Information User

Easy. Just follow the rules, as defined by the owner and delegated through the custodian. If the user doesn’t understand the rules, it might be due to break downs with information ownership and/or custodianship. If the user doesn’t follow the rules because they don’t want to, there’s other problems of course.

If everyone has a role, then EVERYONE must have responsibilities.

Fundamental

This is not only fundamental information security, this is fundamental logic. We’ve got a lot of work ahead of us.

Honorable Mention for “E”

I received many great suggestions for the letter “E” including:

  • Evolution – information security is certainly evolving, but not fast enough. Complexity is the worst enemy of information security, and we’re going too fast to secure things. Technology is evolving much faster than our ability to secure it.
  • Elephants – the “elephant in the room” is often information security, or the lack thereof. If only we could make the elephant a little smaller and little less intimidating.
  • Efficiency – a great word, but could be a can of worms. If we can make things more secure (less risk) and be more efficient, we have the potential recipe for success!
  • Endpoint – endpoint protection is certainly part of the equation, but I didn’t choose it because of the overemphasis our industry puts on it’s importance. It’s important for sure, but some people (vendors mostly) will claim it’s the silver bullet/easy button. I know the person who suggested “endpoint” is NOT insinuating such a thing (I know him), but others might. Just FYI. silver bullets and easy buttons don’t exist and never will.
  • Encryption – a great suggestion and safe choice. Encryption is wonderful and a critical protection against unauthorized disclosure and/or alteration of data.
  • Evolve – closely related to “evolution” See above.
  • Exfiltration – another great suggestion. Exfiltration is the extraction or taking information from an environment, and the word is often used in relation to data breaches. It often results in a compromise of confidentiality if the data wasn’t adequately protected with encryption (another vote for “encryption” above).

One last word that I was considering was “education“. Education is VERY important and we all must continue learning. There are so many good free and paid education opportunities available everywhere, there’s really no excuse for not investing in yourself.

Next up is “F”. Ooh, a bad word I use too much starts with “F”! You know the word, but it’s not going to make it into the Security ABCs, sorry.

Why Isn’t “C” for Compliance?

If you missed it:

And “C” is NOT for compliance. Why not?

The simple answer is:

Compliance is NOT information security despite what people may think.

Judging from how many organizations treat compliance and information security like they’re the same, they’re not. People must be confused. Compliance has never been the same as information security, and it never will be.

Ultimately, compliance is doing what you’ve been told to do.

Explanation

Here’s how compliance works.

A governing body (country, state, industry, etc.) decides it needs to do something about information security, or privacy (a different, but inseparable thing). They write a law, regulation, or standard by which all entities (organizations) must abide. Examples include:

  • 104th United States Congress\Department of Health, HIPAA, all entities interacting with PHI.
  • 106th United States Congress\Federal Financial Institutions Examination Council (FFIEC), GLBA, financial institutions
  • California State Legislature, Assembly Bill No. 375 (California Consumer Privacy Act  or “CCPA“), for-profit businesses who conduct business in California that 1) has gross revenue in excess of $25MM, 2) buys, receives, or sells personal information of 50,000 or more consumers, or 3) earns >1/2 of its annual revenue from selling consumer personal information
  • Payment Card Industry Security Standards Council (self-regulation), Payment Card Industry Data Security Standard (PCI-DSS), organizations that handle branded credit cards from the major card brands (VISA, MasterCard, et al.)

If you’re in the sights of the regulation\law\standard, you have little choice but to comply with the regulation\law\standard or face sanctions. Where organizations DO have a choice is in how they comply. Organizations can choose:

  1. To abide by the intent of the regulation\law\standard, or
  2. To abide by the letter of the regulation\law\standard.

The choice comes down to the organization’s understanding, lack of skill, and/or how short-sighted management may be.

Option #1 – Intent of the Law

The intent of information security and privacy related regulations/laws/standards is usually a noble one. Take HIPAA for instance, the intent is to protect protected health information (PHI).

That seems noble.

The challenge is writing a regulation\law\standard that’s prescriptive enough to be effective in enforcing the intent while at the same time being flexible enough to apply to a large population and all its inherent variables. There are 146 mentions of the word “risk” in the Final Rule. This is great because “risk management” fits our definition of information security. Clearly, when reading the text, the intent of HIPAA is to build a fundamental information security program upon risk management fundamentals.

This is not only noble, but it’s very close to producing the same outcome as information security. Sadly, this is as close to information security as compliance gets.

Option #2 – Letter of the Law

If the intent of the law escapes you, you have the other option, a shortcut, the letter of the law. Abiding by the letter of the law is a shortcut, leading to checkboxes and poor information security.

HIPAA calls for a risk analysis in the Security Rule, so shortcutters get out their Excel spreadsheet and do the minimum work necessary to check the box. HHS recognized that people were half-assing it. Many healthcare organizations were not even doing their risk assessments, so in 2009/2010 they incented health care organizations through Meaningful Use Requirements. That still didn’t have it’s desired effect, so they increased enforcement through the OCR (first settlement in 2009). That still didn’t do enough, so HHS started compliance audits in 2011. Still not enough, so the Omnibus Rule comes about in 2013. Since then HIPAA audits have been delayed and we’re in a bit of a stalemate.

Question. Has healthcare information security been improved, or not? In some places, “yes” maybe. In other places, “no”. There’s nothing definitive to say one way or the other.

Conclusion

“C” is not for compliance because compliance isn’t information security. If you must use compliance as your driver, go after the intent of the law versus the letter of the law (PLEASE).

D is for Data

The words we use make a difference. They make a difference in what we do, how we communicate, and our overall effectiveness as information security professionals.

This may seem basic for you, but it’s important to recognize not everyone is an “expert”. Unless you only work with people like you (experts), you’d better master the application and communication of these basics.

Despite wanting “D” to stand for something else, something a little less obvious and more sexy, it’s for “data”. Covering two things here, what is “data” and why must “D” stand for data.

What is Data?

Wouldn’t it be nice if there was just one definition? Unfortunately, there’s not for the word “data”. Merriam-Webster has three:

  1. factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation
  2. information in digital form that can be transmitted or processed
  3. information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful

Dictionary.com has four:

  1. a plural of datum (and datum has five definitions)
  2. individual facts, statistics, or items of information
  3. information in digital format, as encoded text or numbers, or multimedia images, audio, or video
  4. a body of facts

BusinessDictionary has two:

  1. Information in raw or unorganized form (such as alphabets, numbers, or symbols) that refer to, or represent, conditions, ideas, or objects. Data is limitless and present everywhere in the universe.
  2. Computers: Symbols or signals that are input, stored, and processed by a computer, for output as usable information.
Despite eleven definitions from these three sources, there are some commonalities. Here’s the definition that I’ve gleaned; data is raw or unorganized information that is factual and/or statistical.

If “information” is core to the definition of “data”, then what’s the definition of information?

Data that is :

  1. accurate and timely,
  2. specific and organized for a purpose,
  3. presented within a context that gives it meaning and relevance, and
  4. can lead to an increase in understanding and decrease in uncertainty.
Summary Definitions

Data is:

raw or unorganized information that is factual and/or statistical

Information is:

accurate, timely, specific, and organized data that provides meaning and relevance

The difference between the two is organization and meaning.

Why D is For Data?

The simple answer is data is at the core of everything that is information security and/or data security. To drive home this fact, not only is “information” in the term “information security”, information is data, and the word “data” is applied all over our industry:

  • data administration
  • data aggregation
  • data breach
  • data integrity
  • data leakage
  • data loss
  • data loss prevention
  • data mining
  • data spill
  • data theft

So, to come full circle on the why “D” is for “data” despite wanting to find a more sexy word, data is fundamental to everything we do as information/data security professionals.

There you have it.

Honorable Mention for “D”

  • decrypt (or decryption) – turning ciphertext data (encrypted) into plaintext data.
  • digital – representation of data in discrete units, such as binary (0s and 1s).
  • denial of service – an attack aimed at making a system, service, or application unavailable to authorized users.

There you go. That’s “D”. “D” is basic. “D” is boring (to some). “D” is fundamental.

Next up is “E”.

C is for Cybersecurity

Cybersecurity is NOT the same as information security.

Different words, different things.

What is “Cybersecurity”?

In order to fully appreciate the difference between information security and cybersecurity, we need to define both.

Information Security

The workable definition of information security that I’ve used for a decades is:

Managing risk to unauthorized disclosure, alteration, and destruction of information using administrative, physical and technical controls.

This is a workable definition because it hits all the necessary points:

  1. It’s “managing” risk, NOT eliminating risk. Eliminating risk is impossible.
  2. It’s a business issue, NOT an IT issue; therefore, administrative and physical controls cannot be dismissed. Two common phrases to drive this point:
    • It’s easier to go through your secretary than your firewall.
    • Nobody cares about your firewall when someone steals your server.
  3. Keeping things secret is important (confidentiality vs. disclosure), but so is making sure the information is accurate (integrity vs. alteration) and available (destruction).

OK. Now for “cybersecurity”.

Cybersecurity

Cybersecurity or “cyber security”, tomayto tomahto.

Seems this is a combination of two words, “cyber” and “security”. So then, what does “cyber” mean?

Let’s Google it:

Me being me, I’m not to be one who takes a single source of truth at face value, at least not if I can help it. What does Merriam-Webster say?

Alright good enough. Confirmed. Cybersecurity then is defined as:

Managing risk to unauthorized information disclosure, alteration, and destruction using technical controls.

Cybersecurity is a subset of information security. They are NOT the same. We could reason that cybersecurity and IT security are the same (or similar), but not cybersecurity and information security. Sort of looks like this:

If accuracy and language are important to us, which they should be, then we need get our words and terms straightened out.

Why This Matters

There are several reasons why it matters:

  1. There’s enough confusion already. Don’t believe me, go ask someone to define “cybersecurity” out of the blue. For the best results, ask three or four people who work in our industry and three or four people who don’t. Note three things:
    • The bewilderment with the question.
    • Their exertion in providing a clear answer.
    • Differences between answers (yours and theirs, theirs and others, etc.).
  2. We’ve fought hard to make this a non-IT issue. The struggle is real. For 25+ years we’ve struggled to get business leaders to buy in and take responsibility for what’s theirs. We’ve been consistently preaching this isn’t an IT issue. We’ve trudged and plodded for slow progress. Now, we start using the word “cybersecurity” and we begin to lose ground. The ground we lose may seem insignificant, but ANY/ALL lost ground is bad. If you’ve fought this battle as long as some of us have, you know how hard we’ve grappled with this issue over the years.
  3. They’re both valid terms/words for what they’re already designed for. One word means one thing and one term means something different. They’re both perfectly valid for what they’re designed to communicate. Why mess?
How We Got Here

In my opinion, two reasons, marketing* and laziness.

Cybersecurity sounds cooler, sounds sexier, and probably sells more stuff (not necessarily stuff you/I need). Another reason might be laziness. Information security is eight syllables, and cybersecurity is six. We can save two whole syllables when using “cybersecurity! Think of all the cool things you could do with the extra syllables we’ve saved! I’ve even heard “experts” refer to information security as simply “cyber”. How sexy is “cyber”?! Using only two syllables?! Sounds super-experty too. The other six syllables can now be used to explain what you actually meant in the first place I guess.

Changing the meaning of words to fit marketing and/or laziness doesn’t seem right.

How To Get Back

Simple, use your words correctly. If you must use the word “cybersecurity”, preface it with what you’re actually talking about.

Honorable Mention for “C”

  • Confidentiality – protecting from unauthorized disclosure or keeping information secret.
  • Control – we can’t secure things we can’t control. A control is a restriction put upon an asset to protect it from unauthorized disclosure, alteration, and/or destruction. There are many applications of controls and control types, including access control, configuration control, change control, etc.
  • Cryptography – the simplest meaning is “secret writing”. It’s turning plaintext data into encrypted data (ciphertext) and vice versa. Cryptography can be great for protecting against unauthorized disclosure and alteration of information, but doesn’t do anything for protecting against destruction.

Most people could have guessed what “C” was going to be. Next up is “D”.

 

B is for Business

A business is in business to make money.

You and me?

We’re in the business of living life.

Don’t forget either of these points, now or when you’re doing your (information security) work. Personally, I get messed up sometimes, thinking I’m in the business of securing/protecting everything under the sun, forgetting to live life.

Protecting information is a good thing, even a great thing, but it’s not THE thing.

At Work

For-profit organizations are in business to make a profit. Non-profit organizations are in business to serve a mission.

It’s not that binary though, is it?

There are mission-driven companies, and there are non-profit organizations who rake in millions.

What drives your organization?

Mission-Driven

I can speak from experience on this. SecurityStudio and FRSecure, the two companies I work for, are both mission-driven organizations. They are for-profit companies, but it’s all about #MissionBeforeMoney.

Our mission? To fix the broken information security industry.

We serve out our mission by:

  1. Serving in our industry’s best interest. We seek partnership and collaboration with like-minded organizations, and we steer clear of bad-mouthing and destructive behaviors. We avoid and/or terminate relationships with organizations who aren’t like-minded.
  2. Serving our customer’s best interest. Always. Two things; don’t ever sell a customer something they don’t need (or the rumor is I’ll run you over with my truck), and stay product agnostic (selling products and consulting shouldn’t mix for us because there’s an inherent bias).
  3. Building solutions to fix real problems. Real problems might be difficult to solve, but it’s what we do.

OK. What about your organization?

If you work for a mission-driven organization, what’s the mission? If you don’t know the mission, then you’re probably not working in a mission-driven organization.

Money-Driven

Pure money-driven organizations focus on money obsessively. They will sometimes compromise quality and/or doing what’s in the best interest of their customers to make more money. In reality, pure money-driven organizations are heartless.

Good thing though, pure money-driven organizations seem rare. Most money-driven organizations are a mix between money lust and mission.

Why this matters.

You work for an organization. If you want success in return for your information security efforts, you’d better align your efforts with the purpose of the organization.

  1. You must figure out and communicate how information security feeds your organization’s mission, and/or,
  2. You must figure out and communicate how information security will make your organization more money.

Both can be done. It’s work. But it’s worth it. You’ll serve the organization better, and you’ll be better too.

Business people think information security is a cost center and/or some necessary evil. It’s obvious. How many times have you heard:

  • What’s the minimum we need to do?
  • What’s the cheapest way to check the box?
  • We don’t include information security in business decisions because it slows things down.
  • We don’t have money to hire help.
  • Etc., etc., etc.

It’s no wonder we don’t have “buy in” from the business. We’re not aligned with the business!

Every miss-spent dollar on information security is one less dollar for the mission and one more headache for the bean counters.

At Home

You’re in the business of living life, we all are. You might be someone who works in information security, or maybe you’re not. Either way, you’re still in the business of living life.

So, how does information security improve or make your life better? If information security doesn’t, why bother?!

  • Passwords. No thanks.
  • Scary things. No thanks.
  • Extra steps. No thanks.
  • More work. No thanks.

We need to figure out (for ourselves and others) how to position information security as something that improves life; something that makes life better. Information security is a life skill, and we’d all be more skilled if it was enjoyable and simple.

We’re working hard on this front with S2Me. It’s 100% FREE, go check it out. Also, go check out all the awesome content put out by Wizer.

Closing

So, there you have it. “B” is for “business”. We need to make information security more “B” friendly at work and home.

Honorable Mention for “B”

  • Basics – the basics of information security are what form the foundation of information security. Poor basics = poor foundation. Poor foundation = crumbling structure (or information security program). Most risk is found in missing (or broken) basics. Master them. If you don’t know them, learn them (book).
  • Backup – bad things happen. What will you do when they do? No backup, expect to lose data (forever). Expect it because the time will come soon, and it’s never convenient.
  • Bit – the smallest unit of data in a binary system, like your computer. Bits are cool. When they get together, they make bytes, kilobytes, megabytes, etc. Speaking of backup (previously), get all your important bits!

Next up, “C”.

A is for Accountability

Information security ABCs – An exercise in the fundamentals and basics of information security for everyone.

Accountability

the state of being accountable, liable, or answerable.

This is where information security starts. If accountability were better understood, agreed upon, practiced, and enforced, we’d have much better information security.

Who’s ultimately responsible for information security in your organization?

This is a question I’ve asked 100s of organizations over the years. You’d be surprised by the answers:

  • “I don’t know.”
  • “That’s a good question.”
  • “Well, I am (the CIO, CISO, etc.).”
  • “We all are.”
  • “Nobody is.”

What’s the right answer? Simple, do this:

  • Grab an organization chart.
  • Find the person/people at the top of the chart

This is the correct answer. Always.

Sample Org Chart

Three questions then:

  1. Does the person/people at the top know they’re ultimately responsible for information security?
  2. If so, do they act like it (demand periodic status updates, champion the cause, plot direction, delegate effectively, etc.)?
  3. If not, who’s responsible for telling them?

The sample organization chart above is semi-typical for a business. Let’s look at a city, county, and/or school district. Same thing applies, the person/people at the top is/are ultimately responsible.

This slideshow requires JavaScript.

If this ultimate accountability is missing or broken, then expect the information security program to be missing or broken. The lack of accountability at the top permeates through all other information security efforts.

Tip: Define ultimate responsibility for information security in your organization and document it in an information security charter.

Top-Down

There’s a saying, “information security is everyone’s responsibility.” This is sort of true, but sort of not true. It’s true that everyone has responsibilities in information security, it’s not true that information security is everyone’s responsibility. Ultimately, information security is a responsibility that lies at the top. Only once this is realized, can we effectively begin to define and communicate delegated and supporting responsibilities.

Don’t assume that people know what their responsibilities are. Once responsibilities are defined and agreed upon, we can start practicing/enforcing accountability.

The CISO

In simplest terms, a CISO only has two responsibilities.

  1. Consult on information security risk, enabling the business to make sound risk decisions.
  2. Implement the business’ risk decisions in the best manner possible.

Both of these responsibilities are delegated from the top. In some cases, the top may delegate risk decisions to the CISO as well. This can work if the parameters are well-defined (and documented) and the CISO is empowered to do so.

NOTE: This approach is a delegation only, and should/does not absolve the top from their responsibility.

Honorable Mention for “A”

  • Asset (and asset management) – something that has value to a person or organization. Assets can be tangible (hardware, facility, etc.) or intangible (software, data, intellectual property, etc.).
  • Authentication – proof of an identity (subject or object). Three factors; something you know (password, PIN code, etc.), something you have (token, mobile phone, etc.), and something you are (biometric).
  • Access (Control) – what a subject can do with a system, file, object, etc.

Next up, “B”.