There can be no disputing this simple point. Information Security does not exist to keep all information absolutely secure. It can’t, even if that was a good idea.
Which, incidentally, it isn’t.
Completely secure information is about as much use as that classic beginner’s programming challenge: “Design me a useful program with no inputs and outputs”. The answer of course is that it can’t be done. Information, like a computer program, has to do something useful.
Of course somewhere out there, someone is thinking that’s not true. OK, it’s not. You can have useless information (like this blog, that same person is thinking…), however in a business context if you have information you’re not using, it’s time to bin it. Information has to be useful or we might as well not have it. Fact.
So, if absolute security is an absolutely rotten idea, we must all be in it for something else. That’s risk management then – keeping information as secure as it’s sensible to do so whilst allowing the business to operate – even whilst helping the business to operate.
So, some questions:
- Why are we so bad at explaining the business consequences of security threats and vulnerabilities?
- Why are so few security metrics risk orientated?
- Why is security so often seen as a hindrance to achieving business objectives, rather than an enabler?
- Why is information security theory and practice so divergent from operational risk theory and practice?
- How do we fix it?
- And finally, accepting that we can’t achieve perfect security, how do we deal with the fact that at some point, it will go wrong?
If you’re interested in the answers, let me know when you find them. If you’re interested in discussing some of these issues, join me at InfoSecurity Europe at Earls Court, London this Tuesday for the keynote debate “RISK: Defining ‘Risk Management’ & What It Means In The Context Of Information Security” with myself, Prof. Paul Dorey of the IISP, Boris Goncharov of G4S and Matthew Lord of Steria UK.