Reducing Fear by Providing Assurance

Reducing Fear by Providing Assurance

Recently I have been reflecting quite a bit on the evolution of my InfoSec career. This internal quest caused me to wonder why it is that “Information Assurance” isn’t something we hear much about anymore. Pondering the concept of Information Assurance it seems to me that this notion is more relevant today than ever before. The pioneers of computer security must have recognized that as abuse of computer systems became more prevalent confidence would erode and fear would creep in, hampering a business’s ability to operate with confidence. As the information age began to emerge this flood of information was overwhelming and often lead to fear and uncertainty.

Fear is an interesting influencer of human behavior. Fear ensures that when we approach a situation we know to be high risk or otherwise unknown we don’t blindly wander into a fatal mistake. In this way, fear is a vital emotion for any organism that wants to continue its existence. For those of us blessed to live in first world countries, our environments are crafted such that we don’t have to worry about other apex predators, food or water supplies, weather conditions or other stressors that still plague all other creatures on earth except for humans. If we invert this assertion we could say that we have an assurance that we will be well feed, hydrated and able to work, recreate or rest in relative peace.

Relating this to cybersecurity it seems to me that security teams must seek to build programs that reduce fear by increasing assurance an organization has on its technologies and the environments that they are employed. Many security teams get lulled into security programs architected to first meet compliance requirements that also happen to meet security needs as well. This paradigm is natural because it seems to be an easy way to prove to one’s self as well as other organizations that “you meet or exceed industry best practices.” While this is a noble endeavor it fails to provide assurance that the organization is truly secure.

Using a crude analogy, you could attempt to provide assurance to a small child that there were no monsters under the bed by discussing the statistical likelihood of a multilegged creature taking up residence under their bed, the multitude of ways that other families have ensured that they don’t have monsters under their beds, the impossibility of such creatures even existing in the first place, or any other number of theoretical exercises. We all know that none of these approaches would appease our 3-year-old auditor. So what do we do… we grab a flashlight, examine the underside of the bed and prove that in fact there are no monsters, only missing socks and toys.

It’s time to take what we gained from the information age and move into an age of intelligence where information is not just available but contextualized and validated relative to its use. I hope to provide suggestions in the following posts on how security teams can do this by building practices that provide security and assurance mechanisms specific to the mission of their organization. That through this the state of security is easy to understand, assurance in the security and stability of the technologies employed is high, and easy attestations of compliance are possible. Security teams need to push ownership of technology decisions back to the business and provide ways to help the business understand not only where they are overexposed to risk, but also where they can lean-in and capitalize on risks that they have well mitigated. A security team acting as risk advisors and trusted technologists enable a business to create secure technical solutions from the outset with the confidence of proper execution.