[Maarten Van Horenbeeck] [Information Security] [Resources]

Reflections on Security

This text is from 2006. Please read it in that context.

What is security?

Most dictionaries have at least 7 different meanings for this simple english word. In the current media frenzic environment, everyone hears it daily. Yet, we're still not able to give a unique definition, for a simple word.

Most people will agree on the most common definition, being " Freedom from risk or danger". However, "danger", or "risk" mean very different things for very different people. To people in the financial industry, it might mean losing their career or money. For the average joe, it may mean getting robbed, or being able to pay simple daily bills. For a child in a war-torn country such as Sierra Leone, it may mean not being able to leave the house without running into unexploded ordnance.

Quite a difference. Security immediately touches us into our lowest level of thinking, connecting straight into what we know as "fear". Security is thus best defined as "the feeling of being protected against our fears".

Thus, the level of security one can feel is immediately linked to the level of fear we deem acceptable. In large cities, inhabitants may feel "secure" in the comfort of their home, even though there may actually be a risk of someone entering it at night, with malicious intent. Other inhabitants, living in the exact same neighborhood or building, may not feel secure at all. As you can see, the level of acceptable fear is closely linked.

Sometimes fear is explicitly induced for monetary gain. An example is the information security industry. This is a business which does not directly support any business processes, but just delivers solutions which sell better based on the amount of fear invoked. It's like scaring someone, then selling him something against the constant fear which keeps haunting him.

I'm not claiming that IT Security shouldn't be taken seriously. I've worked in the business for a number of years now, and sincerely think we are doing something which matters. The question is just, "how much?".

Security in Information Systems is mostly based on "detail". You don't need multiple top notch Intrusion Detection Systems to protect your data. It's most likely not that important. Where you need to grow to is minimalism. While it is awesome to have all the latest gadgets, each one of them adds both expected and unexpected functionality. It is the latter you should be most afraid of. Someone may understand your gadget better than you do. Someone will.

The main requirement that you must fulfill to protect your information systems is quality. Quality consists of all those little things that are necessary to make your information security fears disappear. Quality is built on eye for detail, minimalism, and review. Depending on the situation, this may include adding top notch security devices, but it may very well not.

Information Security is a global issue, which is interrelated with all other groups that publish information. It is very closely linked to political security, personal security, and all those other types of security. There is no real difference between "information security" and security. As long as people don't like you or what you do, you, nor your data, will ever be secure. You need to be aware of this and take it into account. Often defined as a sign of "weakness", decreasing your visibility and decreasing the offensiveness of yourself, or your organization, towards the world, is the one major step we all need to complete. This is nothing which can be done on a short term, but it is something which we all need to work to.