Security is not a technology profession. Or at least it shouldn’t be, I would argue. If this sounds like a provocative statement to you, then I am doing my job well. In the end, though, once I’ve argued my position, I hope you’ll come to agree with me.
Perhaps it makes sense to begin by drawing a parallel to another profession, namely computer science. There is a famous quote that is sometimes attributed to Edsger Dijkstra, one of the pioneers of the computer science field: “Computer Science is no more about computers than astronomy is about telescopes.” Whether or not Dr. Dijkstra actually made this statement does not take away from the insight it brings. It is my belief that we in the information security profession can learn a lot from this quote.
So what am I getting at here? Before I answer that question, let’s take a look at two distinct topics within information security. One of them is a hot topic in current events, while the other is a timeless principle that has always been and will always be part of information security.
GDPR
Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. This conversation is happening for good reason. The regulation is set to go into effect in May 2018, and many organizations are still struggling with it.
Rather than rehash various different points around GDPR though, I would like to focus on something different entirely. What is the essence of GDPR? What is the regulation going after? In my opinion, the regulation focuses on a strategic point that is too often overlooked in security. It focuses on the personal and private data and mandates that organizations take steps to protect that data.
GDPR doesn’t mandate that organizations have a certain type of IDS, a SIEM with a specific set of features, or a particular ticketing system. Rather, it instructs them to adequately protect the data they are entrusted with safeguarding. GDPR hones in on exactly what attackers are after - personal and private data.
Risk Mitigation
Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly.
Once again, we see that all roads lead back to protecting data. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data.
So that brings us back to my original, perhaps provocative statement: “Security is not a technology profession.”
At this point, I hope you’ll agree that security is really a data protection profession, or at least it ought to be. Or, as we used to call our profession before the word “cyber” was everywhere, information security. Given this, you can imagine my surprise that most organizations still think about security as a technology profession.
Don’t get me wrong - technology is an extremely important component of a security program. As has been discussed many times, people, process, and technology all need to work together to secure an organization. Rather, what I am getting at here is that many organizations still seem to focus almost entirely on technological solutions to tactical problems, rather than on strategically addressing how they can best and most efficiently protect the data they are entrusted with. In other words, many organizations focus on the symptoms, rather than the actual disease.
Let’s use the common cold to illustrate this point. Most of us catch a cold one or two times per year. We’re all familiar with the symptoms: sore throat, stuffy nose, headaches, and other unpleasant things. Some of us may take medicine to help minimize the effect of the various symptoms of a cold, but as we all know, there is no cure for the common cold. No matter what we do, we simply have to wait for our immune system to fight off the virus that has infected us. I might be able to relieve my headache by taking a particular medicine, but until I fight off the cold, that headache will come right back as soon as the medicine wears off.
In security, many organizations start with the symptoms, rather than the disease. I hear people say things like “I need a technology to combat ransomware”, “I want to buy something that will block more malware”, or “I am looking for a more effective anti-virus”. I almost never hear people say things like “I need to safeguard customer data” or “I am looking to better protect sensitive, confidential, and proprietary information”.
Of course, people, process, and technology will provide the means to protect the data. But until that data has been identified, classified, and properly prioritized, it is nearly impossible to direct resources appropriately toward protecting it. You can take a pill to get rid of your ransomware problem today, but unless you address the root of the issue (that being the vulnerability of the data that ransomware goes after), another problem will take its place tomorrow. Sort of a game of whack-a-mole if you will.
I’m not sure if I’ve succeeded in adequately communicating the concept here, though I hope I have. In a nutshell, security ought to be thought of as a data protection profession, rather than a technology profession. While technology, together with people and process help us achieve our goals, they are merely a means to an end. It’s important to remember this when looking to improve your information security posture. Start with the data you need to protect. The rest is details.