H is for Holistic

Despite all the words that could have been chosen for the letter “H”, here it stands for:

Holistic

We use the word “holistic” semi-frequently in our industry, and there are several definitions. The two definitions I like best are both from the Cambridge Dictionary:

dealing with or treating the whole of something or someone and not just a part:

and the second, similar definition:

relating to the whole of something or to the total system instead of just to its parts

So then, a couple questions with respect to “holistic” and “information security”:

  1. What is the “whole” of information security?
  2. Why is the “whole” of information security important?

Let’s figure it out.

What is the “whole” of information security?

Ask an “expert”. Heck, ask ten! See what response(s) you get.

A simple definition of information security would help; however, a significant and often overlooked problem in our industry is that we still haven’t agreed on one. If you don’t believe me, and don’t want to ask an expert, Google “What is information security?“:

  • the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.
  • Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or…
  • Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
  • Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk…
  • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

These are only the top five results. There are certain similarities; however, there are significant differences too. Only one of the definitions mentions risk, and even then it references “mitigating risks” versus managing them. I won’t dissect all the definitions here, but the point is, we don’t all agree. Just last week, I read an article from one of our industry experts who claimed that information security and cybersecurity are one in the same.

Ugh! This is us.

If we’re not confused enough ourselves, how do you think we’re viewed by people who don’t work in our field? You know, the ones who are ultimately responsible for information security in the organizations they lead?

Many of them, and some of us, believe information security is complex, overwhelming, and confusing. The default reaction for such things?

Ignorance.

Let’s simplify, explain, and fit information security into organized boxes. Maybe this will help. In order to understand the “whole” of information security, we must first know what “information security” is. The definition:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

We can slice and dice this thing into millions of parts, but this will get us into the weeds quickly and back to that overwhelming feeling. A trick that’s worked for me and my clients is to dissect the “whole” of information security, from the top. Start with the goal or purpose of information security and work our way down through to the minutiae.

The purpose of information security is risk management.

Period.

The purpose of information security is NOT compliance and it’s certainly NOT risk elimination (which is impossible). So, start there.

The three high-level functional areas of information security; Administrative, Physical, and Technical means (or controls). Add those next.

Notice the overlap?

Everything is in the context of risk management. Administrative controls govern how we do things, including our handling of physical and technical controls. There has to be overlap between physical and technical controls because it doesn’t matter how well a server is configured when someone steals it.

From here, plug in all the other stuff. Again, fight the urge to dig in the weeds at this point. We can debate details for days (they vary from organization to organization anyway), but this is a good structure for holistic information security.

The most important points for holistic information security are understanding:

  • This is about risk management. (NOTE: Risk mitigation, referenced in one of the cited definitions earlier, is a risk decision as part of risk management. Some risks are completely acceptable as-is, and don’t require mitigation.)
  • Administrative controls rule the others. Computers only do what we tell them to do. Tell them to do bad stuff, and they will. Tell them to be configured poorly, and they will.
  • Information security isn’t an IT issue, clearly.

So, who cares?

Why is the “whole” of information security important?

We can’t fully realize the benefits of information security without understanding and treating the “whole” of information security. We sell ourselves, and the organizations we serve, short. Two important things come to mind almost immediately; we don’t realize the benefits and we don’t live in reality.

Reality

Treating the “whole” of information security better protects us from being blindsided by something we didn’t account for. You’ve probably heard the saying, “your security is only as good as your weakest link“? It’s been said thousands of times by people a lot smarter than me; here’s just a few:

So, then. What is your weakest link?

Treating any one part of information security while neglecting others is poor information security. If you’re fooled into thinking that you’re sufficiently protecting yourself (or your organization) without taking a holistic approach, you’re living with a false sense of security. It’s not reality.

Benefits

Information security has been treated as a cost center since before I started my career in the early 1990s. Sad. Why can’t we use information security to be more efficient, drive more business, and ultimately make more money (assuming this is the purpose of the business)? We can, but it takes a intimate understanding of holistic information security and the organizations we serve.

The short of it; mission (or purpose) alignment is key. Think about it for now, and perhaps we’ll elaborate more when we get to “M”.

Treating the “whole” of information security makes us better consultants to the organizations and leaders we serve. The most common “tell” for an information security leader (CISO or vCISO) who doesn’t understand (or treat) the holistic view of information security is his/her inability or unwillingness to put risk into context. The best CISOs are 1) great leaders and 2) understand risk in context.

Honorable Mention for “H”

Several words could have been chosen for the letter “H”, including:

  • Hacker – a person who can think outside of the box, exploring ways to use things beyond their intended purpose. Some hackers are motivated by curiosity, others by notoriety or money. What motivates a hacker is often deeply personal. Just like most things in life, hacking can be used for good or evil, depending upon the motivation.
  • HAL – an acronym for hardware abstraction layer, but every time I think “HAL”, I think of HAL 9000. HAL 9000 is the fictional artificial intelligence system from 2001: A Space Odyssey. If you haven’t seen this movie, stop reading now. It’s a classic, and you need to watch it.
  • Hardening – making systems (infrastructure, computers, etc.) less penetrable (or less vulnerable), often through configuration. Classic hardening techniques are removing applications that aren’t necessary, removing services that aren’t necessary, strengthening authentication (with MFA or other), etc. Well-known resources for system hardening include CIS Benchmarks and the Security Technical Implementation Guides (or STIGs).
  • Hardware – the stuff you can touch. Assets come in two forms; tangible and intangible. Hardware assets are tangible and are often used to manage intangible assets such as software and data.
  • HITECH – acronym for Health Information Technology for Economic and Clinical Health Act. This regulation was enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA). HITECH prescribes certain information security requirements and clarifies others (related to HIPAA) for healthcare and related entities.
  • HIPAA – acronym for the Health Insurance Portability and Accountability Act, enacted in 1996. Prescribes certain information security and privacy requirements for healthcare entities.
  • Heuristic – in simple terms, methods of deriving solutions to problems through learning and experience.
  • Home Area Network (HAN) – the network, and everything connected to it, in your (and my) home.
  • Honeypot – a purposely vulnerable computer system deployed to attract attackers. Honeypots are often deployed as a deception technique and/or to learn about the tactics attackers are using in the wild.
  • Human – You and me. I’ve often said that information security isn’t about information or security as much as it is about people (humans). Humans are the ones who suffer when things go wrong (if we didn’t, then nobody would care), and we are the most significant risk (not the computer).

That does it for “H”, now on to “I”.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply