What Is Information Security? Really??
In the current issue of IEEE Security and Privacy, Silver Bullet Editor Gary McGraw, CTO of Cigital, asks an interesting question: “What is security?” His interviewee, Gunnar Peterson, Founder of Artec Group, mentions Dan Geer’s statement that security is “risk management.” Later in the interview, McGraw asks whether security is “a thing”. Peterson says it’s a “set of services”. Also, security is defined by Butler Lampson as authentication, authorization, and auditing (“A-u — the Gold Standard” – ha ha). All of this mumbling about security illustrates an essential problem with the profession and the intellectual domain of information security: there is no good definition of information security that is generally accepted. For years, I have proposed that a better definition of information security than “CIA” is
a well-informed sense of assurance that
information risks and controls are in balance.
This new definition illustrates an imperative in the practice of information security: information security is not a “thing.” It is not a snapshot. But it is a feeling. And, ultimately, information security is a feeling within human beings who are called upon to make conclusions and definitions about the trustworthiness of any given system regarding protections around information. I think information security professionals are uncomfortable with the idea that information security can be defined as a “feeling.” It sounds too “touchy-feely.” But using the feeling based definition of information security is essential because it will serve to focus our attention as a professional discipline on the holistic problem of building a sense of assurance within diverse groups of people about the security — the set of controls and risks around a given information system — of an organization. This assurance based definition of information security forces not only a level of transparency about the actual functioning of controls but to a certain extent a dialogue with principals — whether they be CEOs, consumers, or those who procure third-party information services — about their tolerance for risk. The beauty of the “best practices” approach to information security is that one can ask the question “do you have two factor authentication,” get an answer, and make a mark on a checklist. At some level this is satisfactory to all the parties at the table. However, in an era of revelations about new billion dollar Ponzi schemes each week, the importance of transparency and due diligence has been rediscovered. Simply asking “do you have two factor authentication” and getting a yes/no response does not even approach the level of understanding that is needed to conclude whether or not authentication security is adequate and appropriate for the information at hand. An assurance based information security definition will force information security professionals to understand at a new level of transparency not only the mechanisms by which controls function but the degree to which controls have been properly implemented. Similarly, an assurance based approach to information security will force those who operate controls to not only understand at a new level of transparency how those controls function but be able to measure and demonstrate how the functioning of those controls over a period of time achieves a defined level of protection. Without assurance, information security as a practice is stuck on “talk” about CIA, about risk management (whatever that is) etc. Once assurance is factored in to the mix, information security practitioners are forced to “walk the talk” — that is to define and understand the level of operational control that is achieved in any system or organization after a given quantity of due diligence, investigation and conclusions is input.
I had a great conversation recently with a friend of mine who is eminently qualified with deep academic credentials within the practice of information security. We touched on the topic of whether or not information security was a science. The unfortunate truth about today’s level of practice of information security is that there’s hardly any science involved. Sure there’s some math involved in the crypto side of things but science is not a major underpinning of our discipline as yet. Today, information security is much more of an art than a science. Artists make art and whether or not a given painting or a musical composition is art is quite subjective. I would argue far too subjective to form the basis of a discipline so as important as information security. Information security needs to move to a world where facts, hypotheses, theories, and perhaps even proofs provide important underpinning to the risk decisions made by key stakeholders about whether or not information is safe. Only when we move to an assurance based definition can we begin to know with any certainty whether or not an organization is merely “talking a good game” or is able to demonstrate that they “walk the talk.” Let’s begin asking CEOs, regulators, and other stakeholders how they know that a given control asserted to be in place at a given organization is in fact adequate. One of the reasons large auditing firms play such an important role in today’s world of financial due diligence is that they have a well developed set of procedures to test the systems of internal controls — including information security controls — of their respective audit clients. But while these procedures do a good job of allowing auditors to discover whether controls are implemented and operating properly, they are very costly and don’t really get at the question of how much risk is appropriate to take. This is where information security professionals have to focus their attention.
The present financial crisis provides the perfect opportunity for infosec professionals to refocus their attention on how to achieve assurance within an organization or system. Financial professionals are struggling to understand how it came to pass that risk rose to such high levels that (in some cases) firms went bankrupt or were nationalized. Similarly, infosec professionals need to work with their principal stakeholders to understand their appetite for risk and which controls operated in precise ways will serve in combination to control those risks appropriately. This will require more science not only to define and measure levels of risk acceptance but to define and measure precisely the effectiveness and operation of certain controls that we all take for granted in the protection of information.