J is for Jaded

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

And now for “J”.

One is justified in their joy and jubilation from the judicious and just protection of information.

The jibes, jeers, judgement, and jitteriness of losing to jackanapes along our journey through the jargon, jabberwocky, jactitation, jostling and jackassery of our juvenile industry makes us justifiably jaded.

There you have it.

“J” is for Jaded

We’re not all jaded all the time, but too many of us jaded too often.

Feeling jaded seems to come with the territory. As someone who works in this industry, sometimes it feels like we’re fighting a fight that can’t be won, we’re losing ground, and that life has given us the short end of the stick. Given enough time in this industry, you’ll either become jaded or you’ve fought hard against becoming so.

If you’ve done something so much that it doesn’t excite you anymore but just leaves you tired, consider yourself jaded. If someone says you look a little jaded, it just means that you look tired.

https://www.vocabulary.com/dictionary/jaded

The formal definition of “jaded”, courtesy of George Merriam and Noah Webster (not really, these two are long gone and Merriam Webster, Inc. was acquired by Encyclopedia Britannica, Inc. in 1964):

  1. Fatigued by overwork : EXHAUSTED
  2. Made dull, apathetic, or cynical by experience or by having or seeing too much of something.

Being fatigued, exhausted, overworked, dull, apathetic, and cynical are not things we should aspire to.

Jaded is Bad

There is nothing good about being jaded. People who are jaded are live a sad life, or at the very least, a life with less joy than there should be.

Here’s what Dr. Stephen Diamond (a clinical and forensic psychologist) has to say about jaded people:

bitter, jaded people tend to project a self-righteous attitude suggesting they’re justified in feeling resentment. They’re often bored and cynical. They observe and criticize more often than they participate. Because they believe they’ve been burned, they no longer have the trust necessary to build solid, positive relationships. They believe the world is unfair and freely express their impatience and anger. They no longer expect success, but don’t accept responsibility for their failures; instead, they blame others. They’re almost always irritable and frequently express annoyance in most situations.

The highlighted words represent traits that are too common with people in our industry, some of these people we know personally, and maybe one of those people is you.

Jaded people often lash out at others. Bitter sarcasm and criticism are hallmarks. They often feel like they’re victims of what they perceive as injustice. The injustice leads to resentment, anger, and general unhappiness. Jaded people are more likely to suffer from burnout, mental health issues (depression, anxiety, et al.), broken relationships, and chemical dependency (self-medication).

Again, think about people we know in our industry; the people we fight alongside every day. There are people we know personally who have a self-righteous attitude, criticize more than they should, and have lost patience with “dumb users” and/or “incompetent management”. Dialogs such as these are examples:

US: “We need to educate our users and constantly make them aware of information security dangers.”

JADED US: “Why waste our time or money? They don’t get it and they never will. They just keep clicking on links and choosing sh*tty passwords.”

OR:

US: “Let’s figure out a better way to communicate with executive management and the board. If they understood better, we’d be able to secure the budget we need.”

JADED US: “What’s the use? Management doesn’t give two sh*ts about information security!”

Someone who’s jaded has given up, lost hope, and just exists to exist. They’re debilitated and they’re debilitating to the people around them. Someone who isn’t jaded, is still fighting the good fight.  They’re relaxed, rested, energetic, and active. Jaded people have a negative impact. People who aren’t jaded make a positive difference, creatively solving problems and hoping for better outcomes. The truth is, jaded people hurt themselves and others. People who aren’t jaded help themselves and others.

Jaded people hurt themselves and others.

Jaded people are NOT bad people. Please don’t make this mistake. Often, they are good people who care(d) deeply about something. They care(d) so much, they took it personal and suffer(ed) for it.

To simple? Maybe, but the point is this; we need to do everything we can to avoid becoming jaded.

But how?

Start with a simple and honest self-evaluation; are you jaded? If you’re not sure, ask someone close to you. Then decide:

  • If you’re jaded, choose to come back or not.
  • If you’re not jaded, learn how to keep yourself from becoming jaded or not.

The mindset and skills are the same either way.

People who work in our industry often (or always) find our work stressful. When we become jaded, we negatively impact our quality of life and become much less effective in our work. Back to our definition of the word; jaded people are fatigued by being overworked and/or made dull, apathetic, or cynical by experience. Being jaded is not acceptable to me, and it shouldn’t be acceptable to you either. So, let’s do something about it.

Fatigued, Overworked, and Exhausted

People who work in our industry are some of the most passionate, motivated, and intelligent people anywhere in the world. We’re unique and we’re amazing! The passion pushes us to work our tails off, mostly without appreciation beyond our paycheck (we do get paid well though). Some of us work 50, 60, 70+ hour weeks, forgo vacations, and sleep much less than we should. Our passion will work against us when/if we’re not in balance. The constant hard-driving workload can lead to fatigue and exhaustion. Eventually, something has to give.

To make matters worse, it doesn’t matter how many hours we put in, security incidents are inevitable. No matter what we do, we cannot prevent all bad things from happening. When the bad thing happens, then “they” notice; the appreciation we longed for becomes condemnation. Nobody cares about the 1,000s of hours we put in, often while others weren’t watching. They want to know why the bad thing happened and who’s to blame.

Feeling any injustice? Oh, how we need tools to fight against becoming jaded! So, what to do?

Priorities

Somewhere along the line, we might get our priorities messed up. Our job is a job. We do it as well as we can, but we must recognize that work is not life. Work is part of life, but it is NOT life. Good priorities might look something like this:

  1. Faith
  2. Spouse (if you’ve got one)
  3. Family
  4. Work
  5. Friends

Notice how “self” isn’t listed? Self supersedes all priorities. Self-preservation is primal.

You could switch #4 (Work) on the list with #5 (Friends) and still be OK. Regardless, work is NOT in the top three. Bad priorities look like this:

  1. Work
  2. Fame
  3. Money
  4. Spouse
  5. Work
  6. Family
  7. Work
  8. Friends

The first list lends itself to health, the second list lends itself to becoming fatigued, overworked, and exhausted. Couple messed up priorities with the nature of our work; guaranteed failure (if failure is defined as preventing all bad things), and you have a recipe for becoming jaded.

Health (Spiritual, Mental, and Physical)

All health requires maintenance. If we’re not maintaining our health, we can expect it to fail (eventually) and we can expect it to suck.

This isn’t the place or time to preach Jesus to you, but we all need a spiritual “higher power”. This is the place we go when the world doesn’t make sense, and we all know the world doesn’t make any damn sense, right?! If you need help finding a spiritual advisor, reach out to a close personal friend for guidance. If you don’t have a close personal friend to trust for this guidance, you get my advice; seek Jesus! That’s all the preaching you’ll get (for now).

According to the National Institute of Mental Health, nearly one in five U.S. adults live with a mental illness (51.5 million people in 2019), and less than half (44.8% or 23.0 million people in 2019) received mental health services. Think about these numbers for a second. Due to the nature of what we do and the stress related to it, the percentages for us are probably worse than the U.S. population. Most of us rely VERY heavily on our minds, and if our minds our broken, then what? If you need help, or think you might need help, here are some great resources to check out (DO NOT IGNORE THIS):

It’s easy to overlook our physical health, but we can’t. Most of us sit for hours on end at a computer keyboard. This is not healthy. We must get up, get out, exercise more, and eat healthier. There’s nothing glamorous about dying of a heart attack while reverse engineering a piece of code.

Our health has a direct impact upon being jaded. The more unhealthy we are, the more likely we are to become jaded. The inverse is also true.

Dull, Apathetic, and Cynical

The second part to our definition of “jaded” is being dull, apathetic, and cynical by experience or by having or seeing too much of something.

Seriously, how many times have we:

  • Seen someone click a link they shouldn’t have?
  • Witnessed someone fall for a phishing attack after we’ve taught them a kajillion times not to?
  • Read about a breach that should have been prevented?
  • Told people to master the basics, only to see them NOT compile/maintain an asset inventory?
  • Shaken our heads at dumb mistakes people (including “we”) make?
  • Beat our heads against the wall trying to get management to give a sh*t?

After a while, shouldn’t we just give up? What’s the use? People keep doing dumb things and making crappy decisions. Aren’t we tired of it yet?!

Spoken like someone who’s jaded.

Maybe it’s not them. Maybe it’s us.

Expectations

Maybe we’re jaded because we have too many or the wrong expectations. We’re less likely to become jaded when things go well, when we experience things that are good (or exceed our expectations). It’s not like we’d say:

  • “Dammit, Jane in accounting picked a great password again!”, or
  • “Life would be so much better if Joe would just click links without thinking more often.”, or
  • “It just sucks when management always gives us the budget we need for information security.”

Absolutely not. Some (or a lot) of our jadedness comes from being disappointed. We’re setting the wrong or unrealistic expectations, leading to disappointment, leading to frustration, leading to becoming jaded. We think expectations are good, but they’re often not.

What did we expect in the first place? Did we actually expect humans to NOT be human? Did we expect management to treat information security like it was THE issue versus AN issue? Did we expect people to listen to us when we don’t speak their language? Did we expect to not have breaches? Did we expect such a thing as risk elimination, or did we realize this is actually about risk management?

If we set any expectation, we should expect to be disappointed if we have expectations. Expect disappointment, and if it happens often and long enough, it WILL lead to frustration. Frustration is the last step in the path to becoming jaded. This is the “jade cycle” (simplified), see diagram.

The math: (-e + e2) = -d + -j, where e is expectations, e2 is better expectations, d is disappointment and j is jadedness. Essentially, fewer expectations and better expectations = less disappointment and less jadedness. Living life without expectations is NOT the goal, living a life with fewer and more realistic expectations is the goal.

NOTE: The exception is computers and other logical, binary things. We can always expect computers to do what we tell them to do. Care must be taken with emotional and non-binary (analog) things like human beings.

Summary

Beware and be aware of jadedness in yourself and others in our industry. It makes us less effective and it steals our joy. If you need help, ask for it. Being jaded is more common than many of us realize, and it does nothing to help our cause. The cause being better information security, and through it, better lives.

This is no honorable mention for “J” because it’s a letter we don’t use enough. 😉

Next up, “K”. What are some good relevant words for this letter?

I is for If

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

Now for “I”…

“I” is for “if”.*

What if we were less ignorant, imperious, incoherent, irksome and impetuous, but a little more integrous, inoffensive, instrumental, interpersonal, and ingenious? Would we be less inundated with incessant information security incidents?

What if we were less inept and imprudent with the technology that’s so intertwined with every aspect of our daily lives? Would it even be possible to become impenetrable, impregnable and impervious to interminable attacks?

What if?

If we do more of the right things right, and less of the wrong things wrong, just think how much better off we’d be. The people we serve would be safer, we would be saner, and the world would be a better place!

The keys to making “if” closer to reality are less ignorance and more integrity.

What if we were less ignorant?

Ignorance is the lack of knowledge, understanding, or information about something.

Ignorance runs rampant within our industry and amongst the people we serve. People don’t know what information security is or what their personal responsibilities are.

If we were less ignorant, we’d know what information security is, and we’d know that it cannot be separated from privacy or physical safety. We’d know the importance of information security basics, and we’d practice them religiously.  If we were less ignorant, we’d know how vulnerable we are and we’d demand better of ourselves. We’d know what we’re responsible for and what we should hold others accountable for. If we were less ignorant, we’d think twice before plugging that new sexy gadget into our home network. We’d demand more protection in the products and technologies marketed and sold to us incessantly.

By definition, we’re all ignorant. Nobody knows everything, but this isn’t the issue. The issue is being ignorant of something we shouldn’t be ignorant of.

Is it OK to be ignorant of:

  • computer security best practices if you use a computer?
  • Internet security best practices if you use the Internet?
  • what things are running on your home network if you have a home network?
  • online safety best practices if you have loved ones (kids, spouse, et al.) who are online?
  • the most significant organizational security risks if you’re the leader of the organization?
  • information security basics if you’re in charge of information security?

The answer in all these circumstances is “NO”. It’s NOT OK to be ignorant of things you are responsible for.

In today’s world, we can no longer separate information security from privacy or safety; even personal, physical safety. Everything is integrated. A single information security incident has the potential to expose private information, but even worse, it has the potential to kill someone. The truth is, information security is a life skill that all people should must learn. Everyone has responsibilities, so what are yours?

Accepting ignorance is a default response when people are confronted with something that seems too complex, too confusing, too technical, or too anything. The key to fighting ignorance is simplification and mastering the basics. The basics are boring, the basics aren’t sexy, but despite these things, the basics are absolutely necessary.

So, what are the unsexy basics?

The first basic principle is to define rules for the game.

At Home
  • If you’re the head of your household, you’re the boss and you make the rules. It’s NOT OK to accept ignorance in this role. Learn what good information security behaviors are, lead by example, and expect others to follow. Ultimately, every bit of data that traverses your home network, every website visited by you and your family members, every device you plug in, everything is your responsibility.
  • If you’re not the head of your household, your job is to follow the rules and provide respectful feedback. No rules? Go see the head of your household and help them define the rules.

Go check out S2Me, it’s a FREE and SIMPLE personal information security risk management tool.

At Work
  • If you’re the CEO (or whatever title sits at the top of the org chart), you’re like the head of the household (above) for your organization.
  • If you’re not the CEO, your job is to follow the rules and provide respectful feedback. No rules? Go see the CEO (or his/her assistant) and help them define the rules.

Quick sidenote: This isn’t the article about writing rules for you, but maybe “R” will stand for rules (later).

No rules = chaos, anarchy, confusion, and disorder. There must be rules. You either define the rules and follow them, or you follow them and provide feedback. Now that you’ve read this, you cannot claim ignorance. You have knowledge, and now you must act.

Knowledge without action is negligence.

I’m not a lawyer, so I won’t give legal advice. The generic definition of negligence is “failure to take proper care in doing something”.  Are you negligent if someone suffers because:

  • you don’t know the right thing to do, but you should?
  • you know the right thing to do, but fail to do it?

Ignorance isn’t bliss, it’s breach.

More than once, I’ve heard the comment “ignorance is bliss”. Ignorance for something you shouldn’t be is nothing more than an excuse for laziness and genuinely not giving a sh*t.

What if we were more integrous?

Integrous is the adjective form of integrity.

Integrity is an oft-used word in our industry, and here’s the definition:

  • the quality of being honest and having strong moral principles that you refuse to change
  • someone’s high artistic standards or standards of doing their job, and that person’s determination not to lower those standards:
  • the quality of being whole and complete

Integrity applies to our industry in (at least) two ways; the integrity of data and the integrity of personnel responsible for protecting data.

Integrity of Data

If you’ve been in our industry for any amount of time, you’ve surely heard of the CIA triad. It’s an acronym for a fundamental concept; we protect the Confidentiality, Integrity, and Availability of data. Our “I” in CIA refers to the wholeness, completeness, and accuracy of the data we try to protect.

Simple. It’s important to remember that our job goes beyond making sure data is kept secret; we also need to make sure it’s accurate and available (to those who are authorized to access it).

Integrity of Personnel

On this point, it’s hard not to rant. To keep us honest, we’ll over-simplify.

In our industry, there are the practitioners who work their tails off to protect people, and there are suppliers who make things practitioners use to protect people. Practitioners and suppliers; integrity is paramount to both. A lack of integrity in either is terrible and sad.

Practitioners

The person behind the keyboard is an integral part of any information protection strategy. Their integrity must be rock solid and continually verified. Background checks, character references, solid OSINT, etc., are all encouraged before hiring anyone. Address the questionable things before hiring, and not after you’ve given them the keys to the kingdom. Depending upon your comfort level, sensitivity of the job, etc., questionable things should be questioned, but they don’t always need to be a disqualifier. Giving people the opportunity to address the questionable things from their past might be good, given that people change (hopefully for the better).

Verify integrity constantly. At work, a practitioner shouldn’t mind having his/her activities monitoring continually. They should see the value in it.

Suppliers

What’s worse, an attacker stealing $100,000 from your organization’s bank account or someone selling you security software that doesn’t work, or you can’t use, or you don’t need, or…? They’re both bad and either way you’re out a hundred grand. Stolen (or wasted) money is money your organization can’t use for better things; market expansion, employee benefits, innovation, etc. Suppliers who sell something to a practitioner when they know it’s not the right thing are like wolves in sheep’s clothing; almost worse than an attacker because at least you know the attacker is bad.

There are many suppliers who operate with integrity in our industry, but we must do a better job weeding out the ones who aren’t.

Summary

There you have it. “I” is for “if”. What if we were less ignorant and more integrous? Things would be much better around here.

*NOTE: “If” was inspired by my good friend Chris Roberts. Thanks!

H is for Holistic

Despite all the words that could have been chosen for the letter “H”, here it stands for:

Holistic

We use the word “holistic” semi-frequently in our industry, and there are several definitions. The two definitions I like best are both from the Cambridge Dictionary:

dealing with or treating the whole of something or someone and not just a part:

and the second, similar definition:

relating to the whole of something or to the total system instead of just to its parts

So then, a couple questions with respect to “holistic” and “information security”:

  1. What is the “whole” of information security?
  2. Why is the “whole” of information security important?

Let’s figure it out.

What is the “whole” of information security?

Ask an “expert”. Heck, ask ten! See what response(s) you get.

A simple definition of information security would help; however, a significant and often overlooked problem in our industry is that we still haven’t agreed on one. If you don’t believe me, and don’t want to ask an expert, Google “What is information security?“:

  • the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.
  • Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or…
  • Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
  • Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk…
  • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

These are only the top five results. There are certain similarities; however, there are significant differences too. Only one of the definitions mentions risk, and even then it references “mitigating risks” versus managing them. I won’t dissect all the definitions here, but the point is, we don’t all agree. Just last week, I read an article from one of our industry experts who claimed that information security and cybersecurity are one in the same.

Ugh! This is us.

If we’re not confused enough ourselves, how do you think we’re viewed by people who don’t work in our field? You know, the ones who are ultimately responsible for information security in the organizations they lead?

Many of them, and some of us, believe information security is complex, overwhelming, and confusing. The default reaction for such things?

Ignorance.

Let’s simplify, explain, and fit information security into organized boxes. Maybe this will help. In order to understand the “whole” of information security, we must first know what “information security” is. The definition:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

We can slice and dice this thing into millions of parts, but this will get us into the weeds quickly and back to that overwhelming feeling. A trick that’s worked for me and my clients is to dissect the “whole” of information security, from the top. Start with the goal or purpose of information security and work our way down through to the minutiae.

The purpose of information security is risk management.

Period.

The purpose of information security is NOT compliance and it’s certainly NOT risk elimination (which is impossible). So, start there.

The three high-level functional areas of information security; Administrative, Physical, and Technical means (or controls). Add those next.

Notice the overlap?

Everything is in the context of risk management. Administrative controls govern how we do things, including our handling of physical and technical controls. There has to be overlap between physical and technical controls because it doesn’t matter how well a server is configured when someone steals it.

From here, plug in all the other stuff. Again, fight the urge to dig in the weeds at this point. We can debate details for days (they vary from organization to organization anyway), but this is a good structure for holistic information security.

The most important points for holistic information security are understanding:

  • This is about risk management. (NOTE: Risk mitigation, referenced in one of the cited definitions earlier, is a risk decision as part of risk management. Some risks are completely acceptable as-is, and don’t require mitigation.)
  • Administrative controls rule the others. Computers only do what we tell them to do. Tell them to do bad stuff, and they will. Tell them to be configured poorly, and they will.
  • Information security isn’t an IT issue, clearly.

So, who cares?

Why is the “whole” of information security important?

We can’t fully realize the benefits of information security without understanding and treating the “whole” of information security. We sell ourselves, and the organizations we serve, short. Two important things come to mind almost immediately; we don’t realize the benefits and we don’t live in reality.

Reality

Treating the “whole” of information security better protects us from being blindsided by something we didn’t account for. You’ve probably heard the saying, “your security is only as good as your weakest link“? It’s been said thousands of times by people a lot smarter than me; here’s just a few:

So, then. What is your weakest link?

Treating any one part of information security while neglecting others is poor information security. If you’re fooled into thinking that you’re sufficiently protecting yourself (or your organization) without taking a holistic approach, you’re living with a false sense of security. It’s not reality.

Benefits

Information security has been treated as a cost center since before I started my career in the early 1990s. Sad. Why can’t we use information security to be more efficient, drive more business, and ultimately make more money (assuming this is the purpose of the business)? We can, but it takes a intimate understanding of holistic information security and the organizations we serve.

The short of it; mission (or purpose) alignment is key. Think about it for now, and perhaps we’ll elaborate more when we get to “M”.

Treating the “whole” of information security makes us better consultants to the organizations and leaders we serve. The most common “tell” for an information security leader (CISO or vCISO) who doesn’t understand (or treat) the holistic view of information security is his/her inability or unwillingness to put risk into context. The best CISOs are 1) great leaders and 2) understand risk in context.

Honorable Mention for “H”

Several words could have been chosen for the letter “H”, including:

  • Hacker – a person who can think outside of the box, exploring ways to use things beyond their intended purpose. Some hackers are motivated by curiosity, others by notoriety or money. What motivates a hacker is often deeply personal. Just like most things in life, hacking can be used for good or evil, depending upon the motivation.
  • HAL – an acronym for hardware abstraction layer, but every time I think “HAL”, I think of HAL 9000. HAL 9000 is the fictional artificial intelligence system from 2001: A Space Odyssey. If you haven’t seen this movie, stop reading now. It’s a classic, and you need to watch it.
  • Hardening – making systems (infrastructure, computers, etc.) less penetrable (or less vulnerable), often through configuration. Classic hardening techniques are removing applications that aren’t necessary, removing services that aren’t necessary, strengthening authentication (with MFA or other), etc. Well-known resources for system hardening include CIS Benchmarks and the Security Technical Implementation Guides (or STIGs).
  • Hardware – the stuff you can touch. Assets come in two forms; tangible and intangible. Hardware assets are tangible and are often used to manage intangible assets such as software and data.
  • HITECH – acronym for Health Information Technology for Economic and Clinical Health Act. This regulation was enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA). HITECH prescribes certain information security requirements and clarifies others (related to HIPAA) for healthcare and related entities.
  • HIPAA – acronym for the Health Insurance Portability and Accountability Act, enacted in 1996. Prescribes certain information security and privacy requirements for healthcare entities.
  • Heuristic – in simple terms, methods of deriving solutions to problems through learning and experience.
  • Home Area Network (HAN) – the network, and everything connected to it, in your (and my) home.
  • Honeypot – a purposely vulnerable computer system deployed to attract attackers. Honeypots are often deployed as a deception technique and/or to learn about the tactics attackers are using in the wild.
  • Human – You and me. I’ve often said that information security isn’t about information or security as much as it is about people (humans). Humans are the ones who suffer when things go wrong (if we didn’t, then nobody would care), and we are the most significant risk (not the computer).

That does it for “H”, now on to “I”.

G is for Governance

Governance

How does the word “governance” make you feel? In full transparency, the word makes me edgy and disturbed.

I really don’t like the word “governance”.

Maybe you’re a like me, and “governance” gives you a case of the heebie-jeebies. What about this word makes us feel this way?

Two things (for me anyway); I don’t like being told what to do, and bad governance seems more prevalent than good governance. Maybe I’d cringe less if good governance were more common in our industry.

Let’s do three things here; 1) define what governance is, 2) describe bad governance, and 3) show what good governance looks like. If you think information security governance is a waste of your time, you’re wrong!

Governance is critical to every information security program without exception.

If this is true, we’ll need to do some explaining.

What is Governance?

Literally. Merriam-Webster defines “governance” as:

the act or process of governing or overseeing the control and direction of something (such as a country or an organization) 

Further definition, this time using the word “govern”:

  • to exercise continuous sovereign authority over – Sovereign means supreme authority. Authority without accountability can easily lead to despotism, and that’s bad! So, governance without accountability is also bad, really bad.
  • to control the speed of (a machine) especially by automatic means – Could apply figuratively, but this is more like a governor on a motor.
  • to control, direct, or strongly influence the actions and conduct of – This one works I think.
  • to exert a determining or guiding influence in or over – Yeah, even better. I especially like the use of the word “influence” versus manipulation. Different things.
  • to serve as a precedent or deciding principle for – Another definition that fits.

OK, now to apply this knowledge of “governance” to information security.

Bad Governance

Bad information security governance can be more damaging to an organization than no governance at all. Here are some reasons for bad governance:

  • Poor Alignment – Bad governance starts with poor (or no) alignment with the organization’s mission. The mission of the organization defines its purpose and its reason for existence. ALL things done in the business should be aligned with the mission, including information security.
    • If the organization has no mission, it is purposeless and directionless. Best of luck trying to establish information security governance in this organization! You’ll need it.
    • If the organization has a mission, but information security governance is miss-aligned, we’ll run into all sorts of issues. Issues can include lack of business “buy-in”, angry/disgruntled personnel, culture problems, constantly changing direction (without progress), miss-appropriated funds, etc.
    • If you don’t know whether your organization has a mission, go find out! It’s like really important.
  • No Roles and Responsibilities – Start with a simple question, “Who’s ultimately responsible for information security here?” Too many organizations have no answer or a crappy answer to this fundamental question. From there, begin to define all the things that need to be done (responsibilities). Assign responsibilities to people (roles), and you’re on your way to better governance. People don’t inherently know what their role is or what their responsibilities are. Define and enable.
  • No Accountability – Holding people accountable just makes sense. Roles, responsibilities, and rules without accountability are all empty; they’re useless.
  • Poor leadership – Not just business leadership, but information security leadership. We have a lot of CISOs, directors, and managers in this industry, but not enough leaders. Leaders define direction and become people that other people want to follow. Can you think of an information security leader you didn’t want to follow? Don’t be that person.

Governance just for the sake of governance is dangerous. Bad governance is the sort of governance that makes me/us cringe. Ick!

Good Governance

Good governance is attainable, and it’s beautiful.

We already mentioned the key, it’s alignment.

This is where there’s harmony between the business and information security. The purpose of the information security program fits nicely within the organization’s mission, and even drives the mission forward. Management sees the value with information security. They understand how information security is vital to the organization’s mission and not just a cost center. Management champions the cause because they get it.

Information security doesn’t get in the way, it’s part of the way.

Roles and responsibilities are clearly defined, well communicated, and everyone is enabled to do their part. Information security is part of the culture. Accountability isn’t punitive, but empowering. There are incentives for doing good things instead of punishments for making mistakes.

This sort of governance is led by information security leadership who has a vision for information security. The vision clearly benefits the organization as a whole, not just the security team or IT. The vision is clear and people can see how it benefits them personally. They don’t just tolerate information security, they want to be part of it.

Information Security – The Game

Good governance can work like a good board game.

  • Alignment – We play a board game for a reason. We want to have fun, we want to win, we want to socialize, or whatever. It’s an enjoyable experience, and we’re all sitting down at the table together for a reason.
  • Roles and Responsibilities:
    • Management – In a board game, someone defined the rules for playing the game. We need to define the rules for our information security game. Don’t lose track of the purpose (See: Alignment).
    • Information Security Leadership – They helped design the game with business management, so they should be experts on how the game is played. This is also the person who sits down, reads/understands the rules for the game, then helps the players play the game correctly.

Quick Question: In a board game, how many people read the instructions?

Answer: One. One person reads the rules, disseminates the rules to the other players, and instructs people how to play.

Seems logical.

Another Quick Question: Why do we ask everyone to “read and acknowledge” information security policies (in a poorly governed security program)?

Answer: You shouldn’t. It’s bad governance and a bad precedent. Nobody will read your policies!

    • Employees – The players. They’re expected to play the game according to the rules. They understand the importance of the rules, and understand the reason for the game. They may want to win (positive reinforcement), enjoy the experience, or whatever else motivates them.
  • Accountability – As the game is played, it’s played according to the rules. One player isn’t permitted to define his/her own rules or cheat. Accountability is built into the game.

Conclusion

Good governance is critical to the success of all information security programs. The definition of “good” depends upon your organization’s mission, but in all cases it’s supported by alignment, roles and responsibilities, accountability, and leadership.

Basically, three options:

  1. No Governance = Anarchy
  2. Bad Governance = Chaos, waste, loss, false sense of security, mutiny, etc.
  3. Good Governance = Harmony, effectiveness, simplicity, relaxation, calm, value, etc.

You make the choice (assuming you’re empowered to), but I’ll choose option #3 please.

Honorable Mention for “G”

Again, many great suggestions from friends. Here are the honorable mentions for the letter G:

  • Gamification
  • GLB Act or GLBA
  • Governance, Risk And Compliance (GRC) – NOTE: actually three different (but related) things rolled into one; good for selling more stuff.
  • Gray Box Testing
  • Group Policy Object (GPO)

OK, now to figure out what “H” will be…

F is for Fundamentals

Despite how much I’d like to use “F” for something else:

  • What the ____ are you doing?!
  • ____ you!
  • Who the ____ told you to do that?!
  • Why the ____ do I bother?

I’ll fight the urge and use “F” in a more decent manner, even if it is a little less honest.

So why does “F” stand for Fundamentals? For starters, fundamentals are critical. Without understanding and implementing fundamentals, the information security program you’ve poured your heart, soul, and money into will fail. Fundamentals form the foundation, and a house with a crappy foundation looks like this…

You might think your information security program looks better than this house, but if you lack fundamentals, you’re wrong. Sadly, we’ve seen too many information security programs look exactly like this house; falling apart, unsafe, and in need of serious rebuilding (or starting over). So, why do so many information security programs look like this house?

The quick answer:

  1. People don’t understand the fundamentals of information security. (AND/OR)
  2. People don’t practice the fundamentals of information security.

Let’s start with #1

People Don’t Understand Information Security Fundamentals

Seems we’ve preached “fundamentals” so many times, I’m beginning to wonder if we’re using the word right. Let’s look at the definition, then use logic (our friend) to take us down the path of understanding.

Here’s the definition of “fundamental” from from Merriam-Webster (along with my notes):

  1. serving as a basis supporting existence or determining essential structure or function – the “basis” or foundation of information security.
  2. of or relating to essential structure, function, or facts – the words “essential structure” reinforces the idea of foundation. We can’t build anything practical without a good foundation; therefore, we need to figure out what makes a good information security foundation (based upon its function).
  3. of central importance – what is the “central importance” of information security? We get this answer from understanding the purpose of information security.

OK, now let’s take “fundamental” and apply it to “information security”. My definition of information security is:

Managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

Does the definition of information security meet the objectives set by the definition of “fundamental”? Think about it. Re-read if necessary.

Settled?

If the answer is “no”, then define information security for yourself. Write it down. (let’s hope ours are close to the same)

The definition of “information security” is the most fundamental aspect of information security. If we don’t have a solid fundamental understanding of information security, good luck with the rest.

OK, so what’s next?

Notice the words “managing risk” in the definition? Information security isn’t “eliminating risk” because that’s not possible. Managing risk; however, is quite possible. Seems our next fundamental is to define how to manage risk. Logic is still our friend, so let’s use it again:

  • You cannot manage risk unless you define risk. = risk definition
  • You cannot manage risk unless you understand it. = risk assessment
  • You cannot manage risk unless you measure it. = risk measurement (management 101 – “you can’t manage what you can’t measure“)
  • You cannot manage risk unless you know what to do with it. = risk decision-making
Risk Definition

If managing risk is fundamental to information security, it’s a good idea for us to define risk. The dictionary definitions of risk are not entirely helpful or practical. For instance:

  1. possibility of loss or injury – this only accounts for likelihood and says nothing of impact.
  2. someone or something that creates or suggests a hazard – this is more “threat” than risk.

In simple terms, risk is:

the likelihood of something bad happening and the impact if it did

OK, but how do we then determine likelihoods and impacts?

These are functions of threats and vulnerabilities. More logic, this time theoretical:

  • If you have no weakness (in a control), it doesn’t matter what the threat is. You have zero risk.
  • If you have infinite weakness (meaning no control), but have no threats, you also have zero risk.
  • If you have infinite weakness (meaning no control), and have many applicable threats, you (potentially) have infinite risk.
  • Zero risk and infinite risk are not practically feasible; therefore, risk is between zero and infinity.

Makes sense. The important things to remember about risk are likelihood, impact, threat, and vulnerability. Also, it helps to remember that risk is always relative.

Risk Assessment

The next fundamental in “managing risk” is to assess risk. To some folks, assessing information security risk seems like a daunting and/or useless exercise. There are several reasons for this. One reason might be because it is new to you. Risk assessments aren’t new (we do risk assessments all the time), but doing them in the context of information security is new.

Examples of everyday risk assessments:

  • You’re driving down the road and the traffic light turns yellow. The risk assessment is quick and mostly effective. What’s the likelihood of an accident or a police officer watching? What would the repercussions be (or impact)? You quickly look around, checking each direction. You assess your speed and distance. If you assess the risk to be acceptable, you go for it. If you assess the risk to be unacceptable, you hit the brakes.

NOTE: Risk decision-making for information security comes later in this post.

  • You just used the restroom. Do you wash your hands or not? You assess the risk of not washing your hands. Will I get sick, or worse, get someone else sick if I don’t wash? What are the chances? What could be the outcome if you don’t wash your hands? If you deem the risk to be acceptable without washing, you might just walk out the door. If you deem the risk to be unacceptable (hopefully), you’ll take a minute or two and wash your hands.

We all do risk assessments, and we do them throughout the day. We’re used to these risk assessments, and we don’t think much about them. Most of us aren’t used to information security risk assessments. There are so many controls and threats (known and unknown). It’s easy to become overwhelmed, confused, and paralyzed; leading to inaction.

Some truth about information security (risk) assessments:

  • There is no such thing as a perfect one.
  • Your one is probably going to be your worst and most painful one.
  • You cannot manage information security without one.
  • They’re fundamental.

Just do an information security risk assessment. Worry about comparisons, good ones versus a bad ones, later (you’re probably not ready to judge anyway).

Risk Measurement

People argue about measurements. Don’t. Fight the urge.

You can use an existing risk measurement; FAIR, S2Score, etc. or create one yourself. If you’re going to create your own risk measurement, here are some simple tips:

  1. Make the measurement as objective as possible. Instead of open-ended inputs or subjective inputs, use binary ones. Binary inputs are things like true/false, yes/no, etc.
  2. Use the measurement consistently. An inch is an inch, no matter where you apply it. A meter is a meter, no matter where you use it. For example, if a “true” answer to some criteria results in a vulnerability score of 5 today. It should be a 5 tomorrow too. Applying threats may change things, but the algorithm is still the same.
  3. The criteria being measured are relevant. For instance, take the crime rate in a neighborhood. Is it relevant to information security risk? The answer is yes. Our definition of information security is “administrative, physical, and technical” risk. Crime rates are relevant to physical security threats.

If you are new(er) to information security risk management, you may want to use a metric that’s already been defined by someone else. Again, caution against trying to find the perfect measurement. It’s like arguing whether an inch is a better measurement than a centimeter. Don’t get me started…

Risk Decision-Making

Alright, so you did your information security risk assessment.

Done?

Nope, just getting going now. Before doing your risk assessment, you were risk ignorant. Now, you’re risk learned. Yay you!

What to do with all this risk?

Let’s say your organization scored a 409 on a scale of 300 (worst) – 850 (best), and you discovered several areas where the organization scored close to 300. There’s LOTS of room for improvement. Now you need to make decisions about what you’re going to do. To keep things simple, you only have four options:

  1. Accept the risk as-is. The risk is acceptable to the organization and no additional work is required.
  2. Transfer the risk. The risk is not acceptable, but it’s also not a risk your organization is going to mitigate or avoid. You can transfer the risk, often to a third-party through insurance or other means.
  3. Mitigate the risk. The risk is not acceptable, and your organization has decided to do something about it. Risks are mitigated by reducing vulnerability (or weakness) or by reducing threats.
  4. Avoid the risk. The risk is not acceptable, and your organization has decided to stop doing whatever activity led to the risk.

That’s it. No other choices. Risk ignorance was not a valid option.

There you go! Now you have a start to the fundamentals of information security! The foundation.

Did you notice that I didn’t mention anything about security standards, models, frameworks, identification, authentication, etc.?

These are all fundamentals too, but first things first.

People don’t practice the fundamentals of information security.

We live in an easy button, instant gratification, shortcut world today. Information security is simple, but it’s definitely NOT easy. Good information security takes work, a lot of dirty (NOT sexy) work. What happens when you cut corners in laying a foundation? Bad things.

  • Hacking things. That’s a lot sexier than doing a risk assessment.
  • Blinky lights. These are a lot sexier than making formal risk decisions.
  • Cool buzzwords. So much sexier than the basics. The basics are boring!

Hacking, blinky lights and buzzwords all have their place, but not at the expense of fundamentals.

You have no excuse for not doing the fundamentals. Zero. The truth is, if you know the fundamentals and fail to do them, you’re negligent (or should be found as such). Reminds me, there are a few more fundamentals you should know about before we finish:

  • Roles & Responsibilities – Ultimately, the head of the organization (work and/or home) is the one responsible for information security; all of it. He/she may delegate certain things, but the buck always stops at the top of the food chain. Whatever’s delegated must be crystal clear, and documentation helps. We should always know who does what. (See: E is for Everyone).
  • Asset Management – You can’t secure what you don’t know you have. Assets are things of value; tangible (hardware) and intangible (software, data, people, etc.). Tangible asset management is the place to start, because it’s easier to understand. Once you’ve nailed down your tangible assets, go tackle your intangible ones.
  • Control (access, change, configuration, etc.) – You can’t secure what you can’t control. Administrative controls (the things we use to govern and influence people), physical controls, and technical controls.
    • Start with administrative controls; policies, standards, guidelines, and procedures. These are the rules for the game, and this is where standards like ISO 27002, COBIT, NIST SP 800-53, CIS Controls, etc. can help.
    • Access control; identity management and access management. Authentication plays here.
    • Configuration control; vulnerabilities love to live here (not just missing patches).
    • Change control; one crappy change can lead to complete vulnerability and compromise.

Last fundamental is cycle. Cycle through risk assessment, risk decision-making, and action. The frequency of the cycle depends on you.

Summary

I’d rather over-simplify information security than over-complicate it. Simplification is always a friend, along with logic. Quick summary of the fundamentals of information security:

  • Fundamental #1 – Learn and work within the context of what information security is (risk management).
  • Fundamental #2 – Roles and responsibilities.
  • Fundamental #3 – Asset management.
  • Fundamental #4 – Administrative control.
  • Fundamental #5 – Other controls (several).

Honorable Mention for “F”

As was true in previous ABCs, I got some great suggestions. Here’s some honorable mentions for “F”:

  • Facial Recognition
  • Failover
  • Failure
  • Faraday Cage
  • Fat Finger
  • Fear Uncertainty & Doubt (FUD)
  • Federal Information Processing Standards (FIPS)
  • Federal Information Security Management Act (FISMA)
  • Federal Risk and Authorization Program (FedRAMP)
  • Federated Identity Management (FIM)
  • Feistel Network
  • FERPA
  • Fibonacci Sequence
  • File Integrity Monitoring (FIM)
  • File
  • Fingerprint
  • Firewall
  • Foobar/Fubar
  • Fortran
  • Fraud over Internet Protocol
  • Fuzz Testing

Hope this helps you in your journey! Now on to “G”.

 

E is for Everyone

There are lots of relevant information security words that start with “E”, but I’m going with “Everyone”.

Why?

Three primary reasons:

  1. Information security (good or bad) affects everyone.
  2. Everyone has a role in information security.
  3. If everyone has a role, then everyone must have responsibilities.

There’s a saying I often use:

Information security isn’t about information or security as much as it is about people.

Two important points from this statement:

  1. People suffer when things go bad. If nobody suffered, nobody would care.
  2. People are riskier than technology. Technology only does what we tell it to (for now).

Let’s apply these points to our reasons why “E” is for everyone.

People Suffer

When bad things happen, people suffer. Doesn’t matter if we call the “bad thing” a data breach, a ransomware attack, a phish, business email compromise, or whatever. All bad things related to information security affect real human beings, either directly or indirectly.

Some quick examples:

  • Ransomware attack (poorly prepared) – A ransomware attack hits an organization. The organization isn’t well prepared for it, meaning they didn’t adequately backup their data or adequately protect their backups. The organization has no hope of recovery without negotiating with the attackers and paying the ransom. No worries, “it’s covered by insurance”, a common reply. People suffer:
    • The organization suffered an outage, even if minimal, it’s an outage. Outages mean lost services to customers and lost revenue for the organization. Customers suffer and so do the organization’s stakeholders (owners, investors, employees, etc.).
    • The insurance company suffered the claim loss. This might seem insignificant, but insurance companies are not in the business of losing money. They will raise premiums across the board if necessary to recoup losses. “In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%,” Coalition (one of the largest providers of cyber insurance services in North America). Insurance company stakeholders suffer (even if temporarily), and we all suffer through higher insurance premiums.
    • Paying an attacker a ransom, leads to their re-investment in better and more frequent attacks. We all suffer. Everyone suffers, and worse, the cycle continues.
  • Business email compromise – An organization suffers a business email compromise that leads to $800K loss; stolen money through unauthorized ACH transfers. This resulted in a loss for the organization, its customers, and its stakeholders. They all suffered. This attack resulted in $800K that could no longer be spent on good things; things like expansion, employee benefits, employee salaries, etc.
  • Data breach – A hospital gets hit with ransomware, but this variant also exfiltrated protected health information (PHI). The hospital didn’t properly protect itself, and certainly didn’t protect the patients well. The hospital suffered a significant outage, affecting services for patients when they’re needed most. To make matters worse, all patients who were affected by the lost information are now dealing with significant anxiety and safety issues.
    • Anxiety from knowing their private information is in the hands of someone they don’t trust. Contributing to the anxiety is not knowing when/if their information has been used by criminals or how to fix the problem if it did.
    • When a criminal uses stolen PHI to get treatment, their health information becomes mixed with/added to the victim’s. If the criminal gets treatment for a condition using a victim’s medical record/insurance, the criminal’s treatment is now on the victim’s medical record. The next time the victim gets treatment (legitimately), he/she will be treated as though he/she has the criminal’s condition, leading to potential faulty life/death decisions made by doctors
    • Victims are also faced with medical bills that aren’t theirs. If you’ve dealt with medical bills before, you know how this feels.

The list could go on, but you get the point. These scenarios are based on real stories. Reality, NOT fantasy.

Information security (good or bad) affects EVERYONE.

At Home

At home the problem is more direct, but less understood. Attackers have always gone after people at home. Since the first home PCs were connected to the Internet, they’ve been under attack. If we think attackers have relented, we’re foolish.

The problems at home are less understood for a couple reasons:

  1. The consumer market has been grossly underserved. This market is underserved because consumer information security is more difficult to monetize. This market is very easy to monetize for cool blinky lights, personal assistants, “smart” homes, etc. It’s a pain in the ass to monetize for information security.
  2. Personal attacks, or attacks at home, don’t grab the headlines like organizational attacks do. People aren’t paying attention (as much); however, this might be changing with the explosion in remote working or “work from home”.

At home, your information security and safety are your responsibility. Not mine. Not the government’s. Yours. Sadly, an attack aimed at you or your children is yours to bear, sometimes alone.

People Are Riskier

Riskier how? In terms of being riskier than the technology or in terms of being riskier than they were before?

Yes. Both.

Technology only does what we tell it to do. Tell it to do bad things (on purpose or on accident), and the technology does bad things. Tell it to do good things, and you guessed it, technology will do good things. It’s not technology that’s bad as much as it’s the behavior of technology makers and consumers that can make it bad. Technology makers are incented to get the product (hardware and/or software) into consumers’ hands as quickly and cost-efficiently as possible, NOT as securely as possible. Information security is up to you then. If you don’t know how to secure the product or technology, then you will suffer the consequences.

Technology makers need to be incented to make things more secure, not punished for making things insecure.

Consumers need to learn better information security habits to reduce their risk within their area of influence; in communities, at work, and especially at home.

EVERYONE has a role in information security. What’s yours?

Roles

In simple terms, there are information owners, custodians, and users. In reality, this is where the break down starts. Most people have no clue what their role is. If you don’t know your role, you don’t stand a chance in understanding your responsibilities.

Information Owners

These are people who are directly affected by the loss of confidentiality, accuracy (or integrity), and/or availability of their information. They “own” the information, and it’s theirs.

Examples:

  • My health record is mine.
  • My financial account information is mine.
  • My Social Security Number is mine.
  • My private conversations are mine.
  • My private emails are mine.
  • My credentials for accessing accounts are mine.

I am the information owner. At times, I’m the information owner for people I’m responsible for too, like members of my family.

Information Custodian

These are organizations and people who have been delegated the responsibility of protecting information from the information owner.

Examples:

  • The hospital is a custodian of my health record.
  • The bank is a custodian of my financial account information.
  • The school, employer, bank, credit agency, etc. is custodian of my Social Security Number.
  • The phone carrier (or whoever else I might be using for private conversations) is the custodian of my private conversation.
  • The email provider (personal and work) is the custodian of my private emails.
  • The password manager program (please tell me you use one), and everyone I authenticate with, is the custodian of my credentials for accessing accounts.
Information Users

These are people who use the information in a manner approved by the information owner through the information custodian.

Organizations Are Not Data Owners

Organizations do not “own” our information. Organizations are custodians and users of our information.

Organizations do NOT “own” any information except what they’ve created.

Organizations act like “owners” of our information, but they’re not. If they want to be, then they’ll need to accept the consequences of misuse instead of pushing the consequences onto the real owners (you and me). Organizations act like owners of our information when they make risk decisions on our behalf without our approval. Truly, if more people knew how some (maybe most) organizations protected our information, I’m pretty sure some of us would stop doing business with them.

Responsibilities

Each role has specific responsibilities, but this is where things get even messier.

Information Owner

Information owners must inform/declare to information custodians what’s acceptable and what’s not with respect to protecting their information. Once this has been defined, it’s also the owner’s responsibility to hold the custodian accountable.

The problem

Most people have no idea that they are an information owner or what it means to be an owner. For those who do understand the role, many feel powerless to do anything with it. We have a long ways to go in empowering information owners; to delegate information security responsibilities effectively and simply to data custodians. We’ve tried going down this route, sort of, with compliance mandates, but our compliance initiatives are far behind the times and largely ineffective. Much work to be done here.

Information Custodian

Information custodians protect information according to what’s been delegated by the information owner. If nothing has been delegated (explicitly), custodians are left to their own devices. Some custodians treat our information with extreme care while others could care less. If we’re frustrated by how organizations are protecting our information, maybe we need to back up and look at our responsibilities (as information owners) and create solutions that will allow us to become empowered.

Information User

Easy. Just follow the rules, as defined by the owner and delegated through the custodian. If the user doesn’t understand the rules, it might be due to break downs with information ownership and/or custodianship. If the user doesn’t follow the rules because they don’t want to, there’s other problems of course.

If everyone has a role, then EVERYONE must have responsibilities.

Fundamental

This is not only fundamental information security, this is fundamental logic. We’ve got a lot of work ahead of us.

Honorable Mention for “E”

I received many great suggestions for the letter “E” including:

  • Evolution – information security is certainly evolving, but not fast enough. Complexity is the worst enemy of information security, and we’re going too fast to secure things. Technology is evolving much faster than our ability to secure it.
  • Elephants – the “elephant in the room” is often information security, or the lack thereof. If only we could make the elephant a little smaller and little less intimidating.
  • Efficiency – a great word, but could be a can of worms. If we can make things more secure (less risk) and be more efficient, we have the potential recipe for success!
  • Endpoint – endpoint protection is certainly part of the equation, but I didn’t choose it because of the overemphasis our industry puts on it’s importance. It’s important for sure, but some people (vendors mostly) will claim it’s the silver bullet/easy button. I know the person who suggested “endpoint” is NOT insinuating such a thing (I know him), but others might. Just FYI. silver bullets and easy buttons don’t exist and never will.
  • Encryption – a great suggestion and safe choice. Encryption is wonderful and a critical protection against unauthorized disclosure and/or alteration of data.
  • Evolve – closely related to “evolution” See above.
  • Exfiltration – another great suggestion. Exfiltration is the extraction or taking information from an environment, and the word is often used in relation to data breaches. It often results in a compromise of confidentiality if the data wasn’t adequately protected with encryption (another vote for “encryption” above).

One last word that I was considering was “education“. Education is VERY important and we all must continue learning. There are so many good free and paid education opportunities available everywhere, there’s really no excuse for not investing in yourself.

Next up is “F”. Ooh, a bad word I use too much starts with “F”! You know the word, but it’s not going to make it into the Security ABCs, sorry.

Why Isn’t “C” for Compliance?

If you missed it:

And “C” is NOT for compliance. Why not?

The simple answer is:

Compliance is NOT information security despite what people may think.

Judging from how many organizations treat compliance and information security like they’re the same, they’re not. People must be confused. Compliance has never been the same as information security, and it never will be.

Ultimately, compliance is doing what you’ve been told to do.

Explanation

Here’s how compliance works.

A governing body (country, state, industry, etc.) decides it needs to do something about information security, or privacy (a different, but inseparable thing). They write a law, regulation, or standard by which all entities (organizations) must abide. Examples include:

  • 104th United States Congress\Department of Health, HIPAA, all entities interacting with PHI.
  • 106th United States Congress\Federal Financial Institutions Examination Council (FFIEC), GLBA, financial institutions
  • California State Legislature, Assembly Bill No. 375 (California Consumer Privacy Act  or “CCPA“), for-profit businesses who conduct business in California that 1) has gross revenue in excess of $25MM, 2) buys, receives, or sells personal information of 50,000 or more consumers, or 3) earns >1/2 of its annual revenue from selling consumer personal information
  • Payment Card Industry Security Standards Council (self-regulation), Payment Card Industry Data Security Standard (PCI-DSS), organizations that handle branded credit cards from the major card brands (VISA, MasterCard, et al.)

If you’re in the sights of the regulation\law\standard, you have little choice but to comply with the regulation\law\standard or face sanctions. Where organizations DO have a choice is in how they comply. Organizations can choose:

  1. To abide by the intent of the regulation\law\standard, or
  2. To abide by the letter of the regulation\law\standard.

The choice comes down to the organization’s understanding, lack of skill, and/or how short-sighted management may be.

Option #1 – Intent of the Law

The intent of information security and privacy related regulations/laws/standards is usually a noble one. Take HIPAA for instance, the intent is to protect protected health information (PHI).

That seems noble.

The challenge is writing a regulation\law\standard that’s prescriptive enough to be effective in enforcing the intent while at the same time being flexible enough to apply to a large population and all its inherent variables. There are 146 mentions of the word “risk” in the Final Rule. This is great because “risk management” fits our definition of information security. Clearly, when reading the text, the intent of HIPAA is to build a fundamental information security program upon risk management fundamentals.

This is not only noble, but it’s very close to producing the same outcome as information security. Sadly, this is as close to information security as compliance gets.

Option #2 – Letter of the Law

If the intent of the law escapes you, you have the other option, a shortcut, the letter of the law. Abiding by the letter of the law is a shortcut, leading to checkboxes and poor information security.

HIPAA calls for a risk analysis in the Security Rule, so shortcutters get out their Excel spreadsheet and do the minimum work necessary to check the box. HHS recognized that people were half-assing it. Many healthcare organizations were not even doing their risk assessments, so in 2009/2010 they incented health care organizations through Meaningful Use Requirements. That still didn’t have it’s desired effect, so they increased enforcement through the OCR (first settlement in 2009). That still didn’t do enough, so HHS started compliance audits in 2011. Still not enough, so the Omnibus Rule comes about in 2013. Since then HIPAA audits have been delayed and we’re in a bit of a stalemate.

Question. Has healthcare information security been improved, or not? In some places, “yes” maybe. In other places, “no”. There’s nothing definitive to say one way or the other.

Conclusion

“C” is not for compliance because compliance isn’t information security. If you must use compliance as your driver, go after the intent of the law versus the letter of the law (PLEASE).

D is for Data

The words we use make a difference. They make a difference in what we do, how we communicate, and our overall effectiveness as information security professionals.

This may seem basic for you, but it’s important to recognize not everyone is an “expert”. Unless you only work with people like you (experts), you’d better master the application and communication of these basics.

Despite wanting “D” to stand for something else, something a little less obvious and more sexy, it’s for “data”. Covering two things here, what is “data” and why must “D” stand for data.

What is Data?

Wouldn’t it be nice if there was just one definition? Unfortunately, there’s not for the word “data”. Merriam-Webster has three:

  1. factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation
  2. information in digital form that can be transmitted or processed
  3. information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful

Dictionary.com has four:

  1. a plural of datum (and datum has five definitions)
  2. individual facts, statistics, or items of information
  3. information in digital format, as encoded text or numbers, or multimedia images, audio, or video
  4. a body of facts

BusinessDictionary has two:

  1. Information in raw or unorganized form (such as alphabets, numbers, or symbols) that refer to, or represent, conditions, ideas, or objects. Data is limitless and present everywhere in the universe.
  2. Computers: Symbols or signals that are input, stored, and processed by a computer, for output as usable information.
Despite eleven definitions from these three sources, there are some commonalities. Here’s the definition that I’ve gleaned; data is raw or unorganized information that is factual and/or statistical.

If “information” is core to the definition of “data”, then what’s the definition of information?

Data that is :

  1. accurate and timely,
  2. specific and organized for a purpose,
  3. presented within a context that gives it meaning and relevance, and
  4. can lead to an increase in understanding and decrease in uncertainty.
Summary Definitions

Data is:

raw or unorganized information that is factual and/or statistical

Information is:

accurate, timely, specific, and organized data that provides meaning and relevance

The difference between the two is organization and meaning.

Why D is For Data?

The simple answer is data is at the core of everything that is information security and/or data security. To drive home this fact, not only is “information” in the term “information security”, information is data, and the word “data” is applied all over our industry:

  • data administration
  • data aggregation
  • data breach
  • data integrity
  • data leakage
  • data loss
  • data loss prevention
  • data mining
  • data spill
  • data theft

So, to come full circle on the why “D” is for “data” despite wanting to find a more sexy word, data is fundamental to everything we do as information/data security professionals.

There you have it.

Honorable Mention for “D”

  • decrypt (or decryption) – turning ciphertext data (encrypted) into plaintext data.
  • digital – representation of data in discrete units, such as binary (0s and 1s).
  • denial of service – an attack aimed at making a system, service, or application unavailable to authorized users.

There you go. That’s “D”. “D” is basic. “D” is boring (to some). “D” is fundamental.

Next up is “E”.

C is for Cybersecurity

Cybersecurity is NOT the same as information security.

Different words, different things.

What is “Cybersecurity”?

In order to fully appreciate the difference between information security and cybersecurity, we need to define both.

Information Security

The workable definition of information security that I’ve used for a decades is:

Managing risk to unauthorized disclosure, alteration, and destruction of information using administrative, physical and technical controls.

This is a workable definition because it hits all the necessary points:

  1. It’s “managing” risk, NOT eliminating risk. Eliminating risk is impossible.
  2. It’s a business issue, NOT an IT issue; therefore, administrative and physical controls cannot be dismissed. Two common phrases to drive this point:
    • It’s easier to go through your secretary than your firewall.
    • Nobody cares about your firewall when someone steals your server.
  3. Keeping things secret is important (confidentiality vs. disclosure), but so is making sure the information is accurate (integrity vs. alteration) and available (destruction).

OK. Now for “cybersecurity”.

Cybersecurity

Cybersecurity or “cyber security”, tomayto tomahto.

Seems this is a combination of two words, “cyber” and “security”. So then, what does “cyber” mean?

Let’s Google it:

Me being me, I’m not to be one who takes a single source of truth at face value, at least not if I can help it. What does Merriam-Webster say?

Alright good enough. Confirmed. Cybersecurity then is defined as:

Managing risk to unauthorized information disclosure, alteration, and destruction using technical controls.

Cybersecurity is a subset of information security. They are NOT the same. We could reason that cybersecurity and IT security are the same (or similar), but not cybersecurity and information security. Sort of looks like this:

If accuracy and language are important to us, which they should be, then we need get our words and terms straightened out.

Why This Matters

There are several reasons why it matters:

  1. There’s enough confusion already. Don’t believe me, go ask someone to define “cybersecurity” out of the blue. For the best results, ask three or four people who work in our industry and three or four people who don’t. Note three things:
    • The bewilderment with the question.
    • Their exertion in providing a clear answer.
    • Differences between answers (yours and theirs, theirs and others, etc.).
  2. We’ve fought hard to make this a non-IT issue. The struggle is real. For 25+ years we’ve struggled to get business leaders to buy in and take responsibility for what’s theirs. We’ve been consistently preaching this isn’t an IT issue. We’ve trudged and plodded for slow progress. Now, we start using the word “cybersecurity” and we begin to lose ground. The ground we lose may seem insignificant, but ANY/ALL lost ground is bad. If you’ve fought this battle as long as some of us have, you know how hard we’ve grappled with this issue over the years.
  3. They’re both valid terms/words for what they’re already designed for. One word means one thing and one term means something different. They’re both perfectly valid for what they’re designed to communicate. Why mess?
How We Got Here

In my opinion, two reasons, marketing* and laziness.

Cybersecurity sounds cooler, sounds sexier, and probably sells more stuff (not necessarily stuff you/I need). Another reason might be laziness. Information security is eight syllables, and cybersecurity is six. We can save two whole syllables when using “cybersecurity! Think of all the cool things you could do with the extra syllables we’ve saved! I’ve even heard “experts” refer to information security as simply “cyber”. How sexy is “cyber”?! Using only two syllables?! Sounds super-experty too. The other six syllables can now be used to explain what you actually meant in the first place I guess.

Changing the meaning of words to fit marketing and/or laziness doesn’t seem right.

How To Get Back

Simple, use your words correctly. If you must use the word “cybersecurity”, preface it with what you’re actually talking about.

Honorable Mention for “C”

  • Confidentiality – protecting from unauthorized disclosure or keeping information secret.
  • Control – we can’t secure things we can’t control. A control is a restriction put upon an asset to protect it from unauthorized disclosure, alteration, and/or destruction. There are many applications of controls and control types, including access control, configuration control, change control, etc.
  • Cryptography – the simplest meaning is “secret writing”. It’s turning plaintext data into encrypted data (ciphertext) and vice versa. Cryptography can be great for protecting against unauthorized disclosure and alteration of information, but doesn’t do anything for protecting against destruction.

Most people could have guessed what “C” was going to be. Next up is “D”.