Meditation on Security

Written By Input Drive

I think, security is important, however it must be in support of business goals. Practical security eclipses total security and is always specific to the business mission goals & objectives. Security is a support function.

Security must have a budget as a percentage of operational IT budget. Security must be creative and resourceful to operate within the given budget, and when security support the business and business does well, then security must be rewarded with increases in budget. Security must be held accountable if they want to be taken seriously.

 

Security is not a piece of software, hardware, or a compliance document, those two examples are enablers of security.

Security is something that people do and take a part of, continuously.

Security is a practice, a mindset, a way of being.

Security can become an obsession, and a liability.

Security is not absolute.

 

Let’s start with definitions. Once we understand and agree on the definition of something, we can then begin to share ideas about a topic, which leads to a conversation and progress.

 

Security – state of being free from danger or threat (definition)

Cyber – relating to computers, information technology, to include virtual reality

Risk – a situation involving exposure to danger, exposure of something or someone to loss

Vulnerability – the quality or state of being exposed to the possibility of attack or harm

Threat – a statement or known possibility of harm being inflicted

 

Threats are understood as part of a risk assessment, risk assessment are specific to the system, person, or situation being assessed. Vulnerabilities discovered in the process of risk assessment increase the probability (likelihood) of an event.

Risk assessment should be continuous and not an annual event, since an annual event, a checklist, is a record of a fixed point in time. Anytime a change is made\introduced\detected a new security assessment must be done, quickly, effectively & efficiently. This is where people, hardware and software come in handy. Software and computers themselves could\should be used to assist by the nature of their design and purpose. Over reliance on any piece of hardware or software can lead to false sense of security. Business must trust the people who do security, as well as test security & people regularly, and sporadically. People who do security must train in their craft continuously.

 

If we are in agreement, then we may continue to better understand on how to best design a specific security solution to address the specific and often unique risk something or someone is vulnerable to.

Input Drive

https://x.com/greg_inputdrive
Previous

DNS security
Next

MX records