I've recently had an epiphany on information security in the corporate world. Traditionally, we have all heard about the conflicts between "Security" best practices and:
- Regulatory Compliance
- Privacy Laws
- Business Operations
- The FBI model: This is the traditional model of information security whereby all our security certifications (CISSP, CISA, CISM, Security+, et al) are based. This paradigm of information security is to ensure all parties, internal and external, are compliant to all regulatory requirements and/or using industry-accepted standard practices. This model is a purist view of security, focusing on all parties behaving properly; and it plays no favorites.
- The NSA ideology: This model is a more intelligence focused approach to security. This model uses various means to identify internal and external threats to an operational organization. This threat awareness allows organizations to adjust their operations for avoiding and mitigating risks; however, this does not guarantee that an organization will take any actions or make any changes to mature their security program.
- The US Secret Service Approach: This model is an entirely different perspective on protection. In this model, the only focus is to ensure the business continues to operate, regardless of whether the operations themselves are secure (or even legal). These types of organizations view themselves as "too big to fail" (to use a recent cliche). In short, this model is a reference to the undeniable dedication of the USSS presidential bodyguards.
With this new perspective on the various security cultures, I've learned to recognize the underlying motivational models of an organization's security program and adjust the focus to what can be matured versus what cannot be affected.
My goal has and always will be to focus on the betterment of an organization's security behaviors. Now I just know what areas to avoid.
What's your Security Epiphany?
