|
04.05.07
Information Security As An Open & Closed System
 By
Dan Morrill
The world of information security is both an open and a closed system in light of the way that we share data.
There are few that understand that the sharing of data is a vital component of information security, and there are those that do not believe that sharing information is a vital component.
While I can understand that there are people who honestly believe and actively practice that keeping information and skills secret. It is really more of a matter of what in information security is really being diluted. The sharing or non-sharing of information is a symptom of the greater issues that are confronting the work force, including ours.
Knowledge is power, and if I share my knowledge I dilute my power. This personality type is out there in the information security field. Then there are the polar opposites, if I share my knowledge, I do not get called at 2AM to solve some minor issue. Depending on how valuable the person needs to feel, will depend on where they are in the knowledge sharing is a good thing.
In talking to folks at work, I am interested in hearing the stories of what has happened before I got there. Apparently the last security manager would just simply say "no". They were not interested in finding a way to safely do what the folks wanted to do. Nor were they willing to seek the reasonable and appropriate compromise and accept some risk in doing business on the internet.
I find this interesting in that the engineering teams are happy that we will work with them that we can accept risk, and will attempt to come up with a less risky work around. To be in business is to accept risk, we understand that, and we make appropriate steps to reduce risk in conjunction with other teams. The even more interesting part, the old security manager who kept on saying no is no longer there, and has been replaced by what the organization needed to survive and go forth to do good things.
The political and social will of the organization was expressed by getting rid of a stumbling block (which in a formal sense and amongst a large number of security people are) and moved on to find the security people that would at least work with them. For example, while accurate to demand a faraday cage around the building when testing a wireless system.
Given that the data we are transmitting has an effective value of Zero, that the systems if misappropriated will not allow access to secret or protected data, it is unreasonable to demand a faraday cage around the building. The value of the information is nil, the cost to protect the data is prohibitive. But the security engineer that insisted on the faraday cage was in all honestly quite insistent upon that security protection mechanism.
This is the kind of nonsense that makes security engineering more difficult for those that can really balance out risk verses cost. While they meant well, it was not reasonable nor was it appropriate for what was being done. This is not an isolated story, but another sad example of the more complex social interaction skills desperately needed by security engineers. We have to understand the business, be able to balance risk and cost, and otherwise be able to approach the situation based not just on best practices, but on what is reasonable and appropriate.
Until we can do that as a social group, we continue to be marginalized as the folks who always say "no". By not sharing the data, the reasoning, we are being a practicing closed system or society. If we share why we do the things, and come up with ways to mitigate risk (which is appropriate) rather than eliminating risk (which is not possible), then we will be much better off as a group of professionals.
Comments
About
the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
