When it comes to information security there are about as many opinions on the subject as there are network hosts in any given organization. Everyone has his own definition of “secure” yet it’s such a difficult thing that cannot truly be quantified. So, when management, auditors, business partners, and customers come asking about how secure your environment is, what do you think of?, what do you say? How do you even define the word? It’s a really tough thing but one thing is for sure it’s different in every situation.
What “secure” means to me is:
- The information risks have been identified.
- The risks have been prioritized.
- Management is on board with the risks and has allocated the appropriate resources to address them.
Information Security is not a state of compliance. It’s not situation where everyone is happy with the current level of perceived security. Nor is it the fact that no known breaches have occurred. This latter part is where many organizations end up getting themselves into trouble. Everything is quiet and humming along and the assumption is that all is well as long as no issues are being detected. That’s hardly ever the case. In fact, in so many situations, businesses are notified by third parties that they have actually been breached.
Perhaps the greatest challenge with information security is assuming that someone else is taking care of all the right things. It’s no different than those committee meetings that we are all subjected to where everyone assumes that everyone else has things under control. There has to be some accountability when it comes to security. Perhaps that accountability comes in terms of a third party auditor or consultant telling you where things are at – including the things you don’t want to hear. Perhaps it comes from vulnerability scanners and related security tools – as they are always getting better at uncovering new issues and providing the latest intelligence. Perhaps it’s because you and your team of IT and security professionals are getting better – knowing what to look for and how to better address the security issues as they arise.
At the end of the day, only you will know what “secure” means in the context of your business based on your own unique governance and compliance needs and especially based on your business’s bottom line. After all, security is not the primary goal of pretty much every business. Instead, the goal is acquiring and retaining a customer and ensuring the appropriate shareholders are being taken care of. If you can keep that in mind and keep your finger on how security impacts your business and your unique situation, you’re going to be well ahead of the curve.
Perhaps, most importantly, keep in mind that you don’t have to be at the front of the herd and have the top level of security. However, you do need to be at least in the middle of the pack and not stand out. The last thing you want to do is draw attention to yourself. Secure or not, you’re definitely a target.
Please share your comments and feedback in the comment box below.