Definition of IT Security
#116 I came accross this wonderful definition of IT security. It really drives home the point that people are all viewing it from the wrong perspective.
Three things you need to know about security:
First, we're stuck with a notion that security is withholding our progress, when in reality -- when properly applied -- security allows you to go faster, because it gives you the controlled environment you need in order to succeed and implement new applications.
Second, security is supposed to be boring. It's the cop walking the beat. To whatever extent the Internet brought about this idea of fighting spies and espionage, white hats and black hats, evil hackers and all those exciting things -- that's completely wrong. The only people doing that are the ones who are failing to do all the boring, mundane, operational things that keep all that 'exciting' stuff away. Security is your standard, process-oriented approach to any control infrastructure. It's not supposed to be sexy or exciting. It's all about coming in to work every day, doing the right things and continuing to do them over time.
Thirdly, successful security means we're changing the future. We deal in a world of uncertainty and probability, and we're trying to decide what we should be doing if we were going to be attacked or hacked tomorrow. Based on that decision, we then implement our security controls. If we're successful, we don't get attacked tomorrow -- so we changed that future. I consider Y2K the biggest security success of all time, because there were actually lines of code being changed to thwart this notion of what would go wrong. Success means nothing happened.
Pete Lindstrom, CISSP and Research Director, Spire Security LLC.
Three things you need to know about security:
First, we're stuck with a notion that security is withholding our progress, when in reality -- when properly applied -- security allows you to go faster, because it gives you the controlled environment you need in order to succeed and implement new applications.
Second, security is supposed to be boring. It's the cop walking the beat. To whatever extent the Internet brought about this idea of fighting spies and espionage, white hats and black hats, evil hackers and all those exciting things -- that's completely wrong. The only people doing that are the ones who are failing to do all the boring, mundane, operational things that keep all that 'exciting' stuff away. Security is your standard, process-oriented approach to any control infrastructure. It's not supposed to be sexy or exciting. It's all about coming in to work every day, doing the right things and continuing to do them over time.
Thirdly, successful security means we're changing the future. We deal in a world of uncertainty and probability, and we're trying to decide what we should be doing if we were going to be attacked or hacked tomorrow. Based on that decision, we then implement our security controls. If we're successful, we don't get attacked tomorrow -- so we changed that future. I consider Y2K the biggest security success of all time, because there were actually lines of code being changed to thwart this notion of what would go wrong. Success means nothing happened.
Pete Lindstrom, CISSP and Research Director, Spire Security LLC.
0 Comments:
Post a Comment
<< Home