Monday, September 19, 2011

What is “good enough” information security?

by Simon Biles

I have, occasionally in the past, mentored people in (on?) Information Security – once for money (this is not a revenue stream that I’ve mastered by any stretch of the imagination!), but more often than not, informally and infrequently. What there is in common with most people who are keen, but still a bit wet behind the ears, is an idealistic world view where Information Security, as a totality, can be obtained. It sometimes seems a bit like kicking a puppy to have to break it to people that, irregardless of how long, how much money and how much technology you throw at something, it will still have vulnerabilities and risks. Even the proverbial “unplug it, stick it in a safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11″ – I know what can happen to a safe.

The reality is what we do for a living is to make security “good enough” – we are risk managers, risk mitigators, risk avoidance and risk acceptance professionals. We know what can happen, and then we decide if spending £x on it is worth it. Where we go wrong, inevitably, is that we sometimes have absolutely no idea about the value of the asset that we are protecting. How can you determine if a countermeasure or control is appropriate if you don’t know this figure? The real problem is that very often the business has no real idea either...

Read more

No comments: