One of the reasons that security programs aren’t always as effective as they should be is that organizations of all sizes often fail to ask the most important question: What is security?
Security is often categorized as physical security, personnel security and information security. Much of the reason is historical. Back before computers, corporate security people were concerned primarily with physical assets. The area of personnel security evolved with background checks and security clearances and then expanded into workplace violence prevention and ensuring the safety of employees at work and when they travel.
Then computers came along, and the complexity of these new systems gave birth to “computer security”. Over time the “computer” field became known as “information technology” and “computer security” became “information technology security”. Some time after that it finally dawned on people that the focus should be protecting information (as opposed to “information technology”) and since then the term “information security” has increased in popularity.
Within the information security field, the buzz phrase, “Confidentiality, Integrity, and Availability” describes its goals: Protecting information against unauthorized disclosure, ensuring that it is not inappropriately modified and making sure that authorized user can actually use it. Every so often somebody (commonly a vendor representative trying to push their product) tries to expand this definition by adding a fourth or fifth, but in doing so they usually succeed only in proving that they don’t understand information security.
In some organizations different people or groups are responsible for different “types” of security. They often use different language, different processes and their failure to co-ordinate activities often increases security risks.
So what is this security thing anyway? Security is simply about protecting assets.
Physical security is about protecting company assets. But so is personnel security. While I’m certainly not suggesting that a company owns employees, they are assets. Their ability and willingness to work is of great value to the company – without them very little could get done. If a company fails to protect employees, and they are unable to work, that constitutes a loss. Failure to comply with laws and regulations regarding the protection of employees also impacts other assets including employee and public relations and monetary losses due to fines or civil damages. All political correctness aside, employees are valuable assets that require protection.
Finally, there’s “information security”. Today information is an asset. While computers and networks can be complex, and different skills are required to protect digital information, in the end it’s all really just about protecting assets.
