Be Reliable And Trustworthy In Information Security

Dan Morrill Expert Author Article Date: 2008-06-09

Kees Lune comes up with an interesting blog article titled: Essential Truths in Information Security: Be Reliable and Trustworthy. He states,

To be able to perform his role effectively, an information security professional must be reliable and trustworthy. If the data owners do not trust the information security professional, they will not involve him in risk assessment and protection decisions. If the information custodians do not trust the information security professionals, he will run into significant barriers when trying to implement and operate security controls. Source: Leune.org
I have often said "don't use your super powers for evil" yet we always run into the human element in information security, and that includes ourselves. We often strive to build power and control in an organization, for some of us in the profession we have a "no holds barred" approach where we must win our argument all the time. For others the new trick is to get an executive to sign a piece of paper saying that they have been duly notified of the risks involved in project X, with most executives not willing to sign that paper.

While we use some tricks, some of us are also busy trying to build relationships with data owners, data users, and in other parts of the organization. The barriers that we need to cross, the bridges we need to build are built on many years of mistrust and the use of the word "no". If we do this right we are often successful, but if we are ever wrong, then we lose credibility fairly quickly. It is hard to rebuild those bridges after a major loss of credibility in the organization.

The unfortunate part is that information security can be just as wrong in making a call as anyone else in the organization. If we do not take on continuous learning, if we do not keep abreast of new hacker techniques, new ways of doing things, new approaches, and above all new business methods, it is harder and harder for information security folks to stay credible. The more we say "no" the more we are doomed in the bigger hierarchy of the company.
The person saying no should not be the information security professional. Our job is to identify risk, and have someone else decide if that risk is acceptable. Once that assessment has been made, we will design, implement, and operate security controls that are designed to help people do their jobs better. Source: Leune.org
This is the hardest part of the information security person's job, saying yes, identify risk, developing controls around risk and building bridges. This is all based on trust and reliability, the successful information security professionals in business get this, use this, and try to stay out of corporate politics as much as they can. They facilitate, teach, learn, communicate, and enable business. We all have seen the net impact for security departments that don't do this, they are the last one's to know about a project, they do not coordinate with other groups, they do not even talk amongst themselves, and while powerful in the organization, their power is illusionary.

These are two points that I advocate to make it in business as an information security person. Going forward, information security professionals will have to be a jack of all trades, understand not just that things work, but why they work the way that they do. They also in their search of "why things work in the way that they do" not impede business in doing the things they need to do in the speed they need to do them. That is the other essential truth, business dictates, and in many ways, information security is being reduced to risk management and risk mitigation on the corporate level.

There will always be the fun part of information security, hunt down bad folks, break malware, hunt down botnets, hack web sites, but those are going to people who have invested time and energy in their skill sets. If you are still "manning the IDS system" after 10 years, it might be time to learn more about the business you work for. As an agenda item, and depending on where you want to go, learning all you can about the business you work for, learning to be an enabler and learning about the technology other than your own can make you one of the best security engineers in the world.

Comments

About the Author:
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.


Be Reliable and Trustworthy in Information Security