Ever wonder why data breaches are now called cyber attacks, or an application on the Internet is now called The Cloud? It’s for the same reason that Coca Cola is constantly changing it’s ‘look’, adding ‘new’ flavors of what is basically the same sugary mess, and why they’ve changed their slogan FORTY SEVEN times in their 125 year history;
To keep things fresh, to keep you thinking about them, and of course, to help you spend money.
So is this necessarily a bad thing for the field of information security? The answer clearly is no if these marketing ‘tricks’ actually help keep you secure though valid awareness programs and good services, but a resounding YES if it’s just a new buzz-phrase used to sell the same services with less due diligence.
Too many vendors and self-interested lobby groups are frighteningly good at demand generation; new buzz-phrases, invention of perceived needs, and playing on an organizations fear of losing a competitive edge, have all been the cause of many bad purchase decisions. This is especially frustrating when the tools for making good decisions have been around for decades. Literally.
For example; ISO 27001 – probably the best known and de facto security framework – has it’s roots in BS 7799 first publish in 1995, ISACA’s COBIT was released in 1996, and even PCI (which is just a controls based standard for the protection of cardholder data) has merit in its 10th year in existence. If these aren’t enough, the ages-old – but still VERY much alive – concept of Confidentiality, Integrity and Availability has been around for so long that no-one seems to know when it started.
And these are just the overarching frameworks for the security of data, beneath them you have equally well known, mature, and readily available tools for the protection of your data assets:
1. Governance – The Business side and the IT side having meaningful conversations;
2. Risk Assessment – An examination of the business needs applied to the current ability to achieve those goals;
3. Vendor Due Diligence – a THOROUGH review of the external help you’ll likely need;
4. Asset Management – You can’t manage what you don’t even know you have, and;
5. Vulnerability Management and Change Control – If you have absolute control over the changes you make internally, the only things that can increase risk are from the outside. These two tools work hand-in-hand.
All of these tools are covered to a varying degree in the above frameworks, and represent standard good security practices established for longer than most of us have been alive. Without these processes in place, you don’t have data security. Full stop.
So if they are that established, why are they not as well known and pervasive as they should be? Simple, and for the same reason no-one likes paying for insurance; there is no obvious positive impact on the bottom line. Where’s the ROI for spending money on security? But this assumes that an ROI involves making MORE money, but is not LOSING money just as effective? Fines, damages / reparations, and the inevitable loss of reputation all have significant negative impact.
Instituting an appropriate level of data security for your business is actually quite simple, keeping it in place requires much more effort but is equally simple; follow the decades-old advice of the existing frameworks.