The ABCs of Information Security
Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.
Here’s our progress thus far:
- “A” is for accountability
- “B” is for business
- “C” is for cybersecurity
- “D” is for data
- “E” is for everyone
- “F” is for fundamentals
- “G” is for governance
- “H” is for holistic
Now for “I”…
“I” is for “if”.*
What if we were less ignorant, imperious, incoherent, irksome and impetuous, but a little more integrous, inoffensive, instrumental, interpersonal, and ingenious? Would we be less inundated with incessant information security incidents?
What if we were less inept and imprudent with the technology that’s so intertwined with every aspect of our daily lives? Would it even be possible to become impenetrable, impregnable and impervious to interminable attacks?
If we do more of the right things right, and less of the wrong things wrong, just think how much better off we’d be. The people we serve would be safer, we would be saner, and the world would be a better place!
The keys to making “if” closer to reality are less ignorance and more integrity.
What if we were less ignorant?
Ignorance is the lack of knowledge, understanding, or information about something.
Ignorance runs rampant within our industry and amongst the people we serve. People don’t know what information security is or what their personal responsibilities are.
If we were less ignorant, we’d know what information security is, and we’d know that it cannot be separated from privacy or physical safety. We’d know the importance of information security basics, and we’d practice them religiously. If we were less ignorant, we’d know how vulnerable we are and we’d demand better of ourselves. We’d know what we’re responsible for and what we should hold others accountable for. If we were less ignorant, we’d think twice before plugging that new sexy gadget into our home network. We’d demand more protection in the products and technologies marketed and sold to us incessantly.
By definition, we’re all ignorant. Nobody knows everything, but this isn’t the issue. The issue is being ignorant of something we shouldn’t be ignorant of.
Is it OK to be ignorant of:
- computer security best practices if you use a computer?
- Internet security best practices if you use the Internet?
- what things are running on your home network if you have a home network?
- online safety best practices if you have loved ones (kids, spouse, et al.) who are online?
- the most significant organizational security risks if you’re the leader of the organization?
- information security basics if you’re in charge of information security?
The answer in all these circumstances is “NO”. It’s NOT OK to be ignorant of things you are responsible for.
In today’s world, we can no longer separate information security from privacy or safety; even personal, physical safety. Everything is integrated. A single information security incident has the potential to expose private information, but even worse, it has the potential to kill someone. The truth is, information security is a life skill that all people
should must learn. Everyone has responsibilities, so what are yours?
Accepting ignorance is a default response when people are confronted with something that seems too complex, too confusing, too technical, or too anything. The key to fighting ignorance is simplification and mastering the basics. The basics are boring, the basics aren’t sexy, but despite these things, the basics are absolutely necessary.
So, what are the unsexy basics?
The first basic principle is to define rules for the game.
- If you’re the head of your household, you’re the boss and you make the rules. It’s NOT OK to accept ignorance in this role. Learn what good information security behaviors are, lead by example, and expect others to follow. Ultimately, every bit of data that traverses your home network, every website visited by you and your family members, every device you plug in, everything is your responsibility.
- If you’re not the head of your household, your job is to follow the rules and provide respectful feedback. No rules? Go see the head of your household and help them define the rules.
Go check out S2Me, it’s a FREE and SIMPLE personal information security risk management tool.
- If you’re the CEO (or whatever title sits at the top of the org chart), you’re like the head of the household (above) for your organization.
- If you’re not the CEO, your job is to follow the rules and provide respectful feedback. No rules? Go see the CEO (or his/her assistant) and help them define the rules.
Quick sidenote: This isn’t the article about writing rules for you, but maybe “R” will stand for rules (later).
No rules = chaos, anarchy, confusion, and disorder. There must be rules. You either define the rules and follow them, or you follow them and provide feedback. Now that you’ve read this, you cannot claim ignorance. You have knowledge, and now you must act.
Knowledge without action is negligence.
I’m not a lawyer, so I won’t give legal advice. The generic definition of negligence is “failure to take proper care in doing something”. Are you negligent if someone suffers because:
- you don’t know the right thing to do, but you should?
- you know the right thing to do, but fail to do it?
Ignorance isn’t bliss, it’s breach.
More than once, I’ve heard the comment “ignorance is bliss”. Ignorance for something you shouldn’t be is nothing more than an excuse for laziness and genuinely not giving a sh*t.
What if we were more integrous?
Integrous is the adjective form of integrity.
Integrity is an oft-used word in our industry, and here’s the definition:
- the quality of being honest and having strong moral principles that you refuse to change
- someone’s high artistic standards or standards of doing their job, and that person’s determination not to lower those standards:
- the quality of being whole and complete
Integrity applies to our industry in (at least) two ways; the integrity of data and the integrity of personnel responsible for protecting data.
Integrity of Data
If you’ve been in our industry for any amount of time, you’ve surely heard of the CIA triad. It’s an acronym for a fundamental concept; we protect the Confidentiality, Integrity, and Availability of data. Our “I” in CIA refers to the wholeness, completeness, and accuracy of the data we try to protect.
Simple. It’s important to remember that our job goes beyond making sure data is kept secret; we also need to make sure it’s accurate and available (to those who are authorized to access it).
Integrity of Personnel
On this point, it’s hard not to rant. To keep us honest, we’ll over-simplify.
In our industry, there are the practitioners who work their tails off to protect people, and there are suppliers who make things practitioners use to protect people. Practitioners and suppliers; integrity is paramount to both. A lack of integrity in either is terrible and sad.
The person behind the keyboard is an integral part of any information protection strategy. Their integrity must be rock solid and continually verified. Background checks, character references, solid OSINT, etc., are all encouraged before hiring anyone. Address the questionable things before hiring, and not after you’ve given them the keys to the kingdom. Depending upon your comfort level, sensitivity of the job, etc., questionable things should be questioned, but they don’t always need to be a disqualifier. Giving people the opportunity to address the questionable things from their past might be good, given that people change (hopefully for the better).
Verify integrity constantly. At work, a practitioner shouldn’t mind having his/her activities monitoring continually. They should see the value in it.
What’s worse, an attacker stealing $100,000 from your organization’s bank account or someone selling you security software that doesn’t work, or you can’t use, or you don’t need, or…? They’re both bad and either way you’re out a hundred grand. Stolen (or wasted) money is money your organization can’t use for better things; market expansion, employee benefits, innovation, etc. Suppliers who sell something to a practitioner when they know it’s not the right thing are like wolves in sheep’s clothing; almost worse than an attacker because at least you know the attacker is bad.
There are many suppliers who operate with integrity in our industry, but we must do a better job weeding out the ones who aren’t.
There you have it. “I” is for “if”. What if we were less ignorant and more integrous? Things would be much better around here.
*NOTE: “If” was inspired by my good friend Chris Roberts. Thanks!