About 6 years ago I set myself the challenge of getting the CISSP exam out of the way – that may only even impress a small proportion of even the IT Community. The Certified Information Systems Security Professional exam, that’s just a 6 hour of exam related stress and several months study, to prove you know quite a lot about IT Security. Quite a lot, but not everything! Like anything there is always more to learn, but the more the learn the more patterns you see, making me question whether Information Security is the new Safety.
Information Security
Information security seems to be a term that everyone has forgotten about. Unless you work in that murky world of management systems and compliance to international (ISO) standards, which funnily enough I try and keep my hand in, nobody mentions it anymore. We use this horrid term ‘cyber’, yuck and I’ve written about my distain for the term cyber security before.
Don’t get me wrong, it’s a good thing we’re all now much more aware of information and cyber security, no matter how you frame it. I certainly prefer Information Security – as not shredding my bank statements is equally as dangerous as not storing the PDF’s security and things of that ilk. Information is a term that we’ve funnily enough much forgotten about in Information Technology too, it’s almost as if IT means something else. We do focus on the T rather than the I quite a lot. Which is really to do with the challenge that Information represents. Having a shiny piece of tech is somewhat easier than crafting information.
But what is information?
For those of you that don’t have several qualifications in IT behind you. Information is quite easily defined as:
Information = Data + Processing.
Data hasn’t really got any value until it’s transformed into information, which requires work. We are all ‘cyber’ aware, worrying about all the bits and bobs Google and Apple are collecting on us. Half the time, they haven’t even figured out how they’re going to make that data into anything valuable yet. They have data on you, but that isn’t necessarily dangerous.
Similarly in Information or Cyber Security, a loss of information has an impact that is known – because it has a value. Loss of data is very much more abstract thing. Quite often, a few different data items are required to do anything nefarious to you. Example, I know your address, but I don’t know your mother’s maiden name or your date of birth. The chances I can call up your bank and gain access to your online banking are slim without all those items.
All of those data points, combined with a nefarious intent become information. If I collect multiple bits of data on you, I can combine it into information about you. Enough information that I can reset your phone and online banking details. Information that if lost, is a security risk to you.
There are of course many distinct levels of risk according to the type of the information in question. Your online banking login information is obviously a higher risk than data on your address and mother’s maiden name. So, we have both data and information we need to protect and secure, all with varying values of risk associated to them.
Where does safety fit into this?
Having worked in the engineering and construction sectors most of my life, I’ve often joked with my colleagues in safety that it’s their job to stop the job! Of course, I know that’s not true. Although, Homer Simpson is a Safety Advisor – just saying!
Safety done right involves assessing risk and providing necessary mitigations before something goes wrong. Most of the safety professionals I know are exceptionally good at this. The bad ones are of course, not, like Homer.
Safety as a discipline is much more mature than cyber security too. My perceptions of safety 25 years ago, were of course about stopping jobs. We all read in the news about Health and Safety gone mad and kids wearing PPE playing conkers in autumn.
Thankfully, safety does seem as if it’s finding its stride and proper, sensible risk assessments seem to be reducing the amount of over-the-top news articles that are produced.
The industry does have a lot of parallels with cyber security too. Risk assessments and mitigations are particularly important in Information and Cyber Security too.
I’d also say we’re another 10-15 years off where the safety industry is now too.
Is InfoSec and Cyber Security the new Safety then?
In some businesses IT is already referred to as the “Department of No!”. Safety’s reputation, especially in the sectors I’ve worked in has been a bumpy and high profile one. Importance of safety has grown, not without just cause. In construction and engineering the number of fatalities and injuries have been drastically reduced due to what the increased importance safety has received. We all have a right to come home at the end of our shift alive and unharmed. It’s almost unfathomable to believe that in many industries, risk of injury and death came with the job.
I’ve seen safety on that journey to maturity where they clashed with colleagues preventing unsafe actions being taken. They were the previous “Department of No”, however, that has certainly all changed with them acting as a positive collaborator and advisor in getting things done.
Cyber and Information Security functions are either rolled into IT or standing apart. It’s still early days for the discipline and that level of collaboration and understanding of the business they work for is still quite new too. My mind is clear though, the only way to effectively move the discipline to be that enabler in getting things done is to collaborate better.
Going back to my point on information. One person’s data can be another person’s information. Wut? Think about it, you are the experts of what you do. Everything you store electronically or otherwise, means something to you. You have processed it. It’s difficult for another function to come along and make sense of that.
Not having the contextual awareness means they’re likely to err on the side of caution when it comes to risk assessments and classification of that data. They will over classify and over protect the data that they don’t fully understand the value of.
Can’t bullsh*t a bullsh*tter!
To avoid this “department of no” scenario, both the business and the information and cyber security function needs to meet in the middle. Cyber Security specialists need to get better at drawing out from end users of the service what the information means to best advise on the risk profile of it and the mitigations required. The business also need to get more aware of what it is that the cyber security function does. In many respects, they can only advise on the best practice mitigations based on their understanding of the value and risk your data is subject to. That requires your input!
As for me, well I got the CISSP exam down mainly to stop objections. Quite frequently as a technology specialist I’m met with many reasons as to why you can’t do things. Cyber has just become the latest one to the lengthy list. Any change management practitioner will tell you the same. Being qualified in the same discipline means I can act for the business and hopefully find that nirvana of collaboration between the business and the cyber security function on the projects we work on. It sometimes works too!