Feb 02 2007
What is security anyway? I invite you to recall the familiar scene: at least two camps are pitched approximately opposite one another and expert opinions are lofted high like battle standards; hooves stamp and nostrils flare at the scent of battle. Troops rally and charge, circle, regroup and charge again. Spectral warriors, wielding swords of wind, whip up a furious tornado, eventually tire and subsequently retire to dress imaginary wounds.
In the spirit of peace, I submit this humble definition, which I did not make up myself.
Main Entry: se·cu·ri·ty
Pronunciation: si-’kyur-&-tE
Function: noun
1 : the quality or state of being secure
Chicanery, you say? A quibbling evasion? Perhaps. But is there not a kind of poetic truth to this lowly definition? What does it matter what security really is, if the supposed beneficiary of said security cannot put a check-mark in the little box labeled secure? Academically, it may be perfectly true that a customer is actually asking for business continuity, but we can’t be surprised when they think of it as a security matter. After all, to them it is.
What does the customer care about whether fault tolerance ought to stay in the IT department when the only hard drive with their financial records loses a platter? Would you expect them to agree that their data was secure? What does the CIO care about the validity of denial of service as a security threat when their online application slows to a crawl at the hands of a network of really linkedin zombies? Would you begrudge their conclusion that the security of their business was compromised? What concern does the end-user have for the intricacies of the seven-layer model versus the gun-and-ski-mask model when their Visa number shows up among cardz4sale? Do they feel secure?
I wouldn’t blame any of the many smart people in our industry for debating the borders of the information security discipline as a means of better understanding how to face risks – or just for fun (after all, when your intellect hums like a light saber how can you not let it out of its sheath now and then?) – but ultimately, we can’t be surprised when our clients tell us it’s irrelevant. As security practitioners, if we want to be taken seriously in the real world, where bottom lines are tallied with actual numbers and trust is the life-blood of business, we increasingly need to think again before we say that’s not my department.
Related posts:
Posted by Benjamin Field on Friday, February 2nd, 2007, at 6:00 am, and filed under Articles.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Larry J. Hughes, Jr. | 15-Feb-07 at 3:09 pm | Permalink
Merriam-Webster also includes this in the definition of security: “freedom from the prospect of being laid off.”
In talks I give I note that security is an abstract noun. As such it is erroneous to objectify it. Yet we objectify security all the time, which I personally find dangerous. To skeptics I suggest they substitute the word “quality” for “security” in their contrary assertions. It produces interesting reactions.
“We’ll add QUALITY in the next version”
“My director says not to let QUALITY get in the way of our deadline”
“QUALITY was never a concern for us before”
“That’s the QUALITY team’s problem, not ours”
Show me an executive who’ll tolerate the above statements and I’ll show you an executive who’s getting faux results if any at all. Show me an executive who tolerates the “SECURITY” version of the statments and I’ll show you…well…your garden variety executive.
Benjamin Field | 15-Feb-07 at 5:01 pm | Permalink
Well, it stands to reason that the best way to avoid being laid off is to quit first. Now, if you’ll excuse me, I need to get started on my new security program, and my calendar is jam packed with all the nothing I have to get done before Friday.