A friend of mine passed along an email he received from an information security vendor today.  The vendor had inquired as to whether or not my friend was still interested in his company’s product.  When my friend thanked him for his time and explained that they had chosen to go in a different direction the vendor responded:  (again paraphrased to protect the guilty)

I thought we didn’t have a chance since I wasn’t able to speak to anyone other than you.  Based upon common experience, I think you will find the direction you’ve chosen to be extremely expensive with relatively little return.

But best of luck…

Translation:

Yeah, I knew you weren’t all that intelligent when you didn’t agree that my product was the best thing since sliced bread.  If you’d have let me speak to someone with half a brain I’d have probably gotten the sale.  You just don’t realize that you don’t really need what you decided to buy but like I said, you’re a moron so go figure.

Now I’m no rocket scientist but giving a potential client backhanded “advice” isn’t going to endear yourself to that client.  Even if the potential client is lacking in reasoning ability, you never tell them that.  The sale that fell through today may very well be the sale that comes through tomorrow. 

This is the problem with product vendors.  Many of them are lifelong salesmen and do not really have a clue as to what goes on in an information security department.  These are the guys from the snake-oil school of sales: they tailor your problem to fit their solution as opposed to trying to really understand the problem.  They don’t want to solve your problem, they want to sell their product. 

Now I know that this is a general statement and that there are some good sales guys out there.  I’ve actually had the pleasure of meeting a few.  There is one guy that I wouldn’t hesitate to call even though his territory is on the West Coast. (I’m on the East Coast.) The problem is that the good ones are few and far between.  

I was recently involved in a discussion over the different terms used to describe what we do? Information Security (IS), Information Assurance (IA), or Information Risk Management (IRM). Some very interesting points and observations came out of that discussion so I thought I’d echo them here.
The discussion started on the Norwich University MSIA program alumni discussion forum. One of the graduates, Steven Hickey (MSIA ‘06) started the discussion by making the observation:

A colleague of mine, who also works as an Information Assurance (IA) professional (DoD specialty), argues that the CISSP certification has “absolutely nothing to do with IA.” He is of the opinion that Information Security is not Information Assurance and sees “no similarities” at all (ummm… none?). Anyway, from a DoD 8570 perspective, the IAM (managerial) level II and III are required to have the certification while none of the IAT (technical) levels are required to have the CISSP.

This started a discussion that went in two main directions – whether the CISSP certification is useful in both the technical and managerial realms (I won’t touch on this here) and whether or not Information Security (IS) is a subset of or has anything to do with Information Assurance (IA).

There were several great posts to this discussion. One was by John Graham (MSIA ‘04):

Although the DoD has ‘coined’ the phase Information Assurance, in my opinion the concept certainly is broader than information security, and information security is a subset of the information assurance space…knowing and understanding the concepts required for the CISSP only strengthen the Information Assurance professionals tool kit…

And

I have always found it interesting that most organizations tend to initially focus on technical controls, then gain the understanding of the required linkages to process and governance needed to actually implement and maintain the controls.
Information Security certainly does provide the control aspects, and the technical depth. When companies start looking at reasons why they have trouble actually ‘implementing’ information security policies, they begin to see the need for broader discussions more in line with information assurance.

Sharon Mudd (MSIA ‘08) took the concept even further.

I agree with John. To expand on that, in my view the entire space is going through a maturation process. What was once Information Security (focused strictly on IT) evolve into Information Risk Management (allowing it to broaden a bit) and is now heading towards Information Assurance. Each evolution incorporates what was there before and enhances the importance of getting out of the InfoSec silo and into the other areas where it runs into business processes/needs(or government, or whatever other entity you’re working with).

and

What was the original foundation of InfoSec seems to be what we’ve been referring to as Security Operations – or – the day-to-day hands on the firewalls/IPSs/etc. work that must be done even monitoring and incident detection can fall into this category. Where I think it goes over the wall to a risk management activity is when you start trying to understand what the alerts mean in context of your business functions and managing the issues from a cost/benefit or risk/reward perspective.

I believe the term “evolution” in this context is key. One of the things that I have enjoyed about being a consultant over the years is the variety of environments and networks that I’ve been privileged to become acquainted with. Most of the time the issues that I’ve come across had very little to do with the technology. Most technology issues were symptomatic of deeper alignment issues.

Many of the highly specialized (or more tactical) activities that IS “grew up with” have now begun to be relegated back to the network and infrastructure departments. Our role has evolved into a strategic role that bridges business units. IT, and by extension IS/IA/IRM, has been the one department that is typically siloed off from the rest of the company in terms of being fully integrated into business operations. This is most likely do to the fact that IT basically began as a support function not much above the mail room in importance. The companies that have seen the advantage of integrating IT and IS into their strategic planning process have gained a commanding advantage in the workplace.

Once you achieve an alignment with the business objectives, IS/IA/IRM projects are easier to sort out and prioritize in terms of their overall value. As we all know this requires that both the business units and IT cooperate in achieving the common goal. One key aspect of this is the use of a common taxonomy. In the end, whether we call it information security, information assurance, risk management or “skippity do” doesn’t really matter all that much as long as we achieve the ultimate goal of bringing value to our employers. The terminology may be determined by the sector in which were working, such as the DoD example, or it may be something that we can influence.

I believe that we must learn the language of business. Business won’t learn the language of information security – that is what they hire us for. The approach that requires management to learn “our language” is doomed to failure. Whatever the case I’m more of an advocate of using the terms that most clearly conveys the concept to my audience.

I don’t know if this happens to anyone else but I was reading Wired Magazine’s article on Google’s Open Source Android OS and all I could think of was the security implications of users being able to install anything they wanted onto their smart phones.  I kept trying to pull my mind away and focus on the promise Android brings to this market.  I am excited about it but security concerns keep sneaking their way in to disrupt those thoughts.  Now I don’t want to reopen the debate on whether open source is more secure than proprietary source code.  Better people than me have engaged in that debate; I can’t add any additional value there. 

My point is more that it can be hard to get excited about new technology and improvements knowing what we know.  It is times like this that I wonder why I couldn’t have taken the blue pill…

Apparently it will all be over in less than three years.  Wow.  That is some statement to make.  Apparently the media doesn’t mind making it though.  They report that we will run out of IP addresses by early 2011. 

In two of the reports that I’ve read (one on Foxnews.com and the other on The Times Online) portray a digital doomsday rapidly approaching.   We will run out of IP addresses and everything will come crashing to a halt.  Apparently there is even a countdown clock located on the Net. 

Now this may be so, we may run out of IPv4 addresses but statements like this strike me as irresponsible.  (Especially since this does not appear to be what the report actually says – It appears to be straightforward and level-headed but I haven’t read all of it yet though.) 

I’m not a big fan of the FUD approach (Fear, Uncertainty, and Doubt).  I don’t think that anyone should try to scare someone into action even if the result is a good thing.   You put your creditability on the line every time you make a prediction such as this.  Look at the Y2K non-event.  It cost an estimated $300 billion dollars worldwide and it is debatable whether or not it was really worth it?  Now I don’t want to open up that debate again.  What I am concerned about is that messages like this tend to derail us from what is really important. 

Should we plan for a conversion to IPv6?  Of course we should but this is not foreteller of doom that the media seems to want to make it out to be.  You can be sure that product vendors will soon pick up the war cry and fan the flames of FUD. 

Life, and business, is a balancing act between risk and reward.  Let’s incorporate these concerns into our plans so that we can deal with them in an ordered and structured way rather than through emotion and panic. 

A few questions have come in from some readers.  Since some of them are similar I felt that it would be best to answer them here. 

Can anyone really defend themselves against hackers or dishonest insiders? For example, if data leakage is invisible (because there may be no evidence left behind that information has been copied without authorization), how can one possibly defend against it?

Welcome to the Information Age!  Knowledge is power; he who has the knowledge has the power.  Intellectual Assets have become more valuable than physical assets.  The simple text file that contains the formula for a prescription drug could be worth tens of millions.  Individuals, companies, and governments are impacted when their information gets into the wrong hands. 

Information Warfare involves everything from personal identity theft to corporate espionage to offensive attacks against government assets.  The control of information is critical to the new Information Age.  Is it worth the risk interacting with this digital age?  We hear daily about vulnerabilities discovered in the operating systems that we use for work and play.  The applications we trust to hold our data, to view the world with our digital eyes, to pay our bills are fraught with bugs and backdoors.  Our Inboxes are filled with e-mail trying to entice us to provide our personal information.  Malware abounds throughout our interactions.  All around us are threats to our personal information.  With this focus on information, is it truly possible to defend against information warfare attacks when the attacks are just as varied as information warfare itself?

Life is about risk.  We all take risks when we get up in the morning and start our day.  We take risks as we drive our cars.  Our lives involve a mixture of risk avoidance and risk acceptance.  Defending our information against information warfare attacks is also an exercise in risk. 

Can we avoid all information warfare attacks?  No.  Information Systems are too embedded in our lives.  Even were we to hide all our money under our mattresses and never leave the house, the energy we use, the water we drink, the government that provides us services are all provided in some way using information systems.  We cannot avoid all risks therefore, we must decide which risks we can accept and which risks we try to avoid.  We can take efforts to insist that the companies we deal with conduct business securely.  We can petition our government to enforce common sense measures to protect its information systems.  We can ensure that we use good judgment when surfing the Internet. 

It all comes down to levels of acceptable risk.  We need to determine how we go about our lives and conduct business in a way that reduces the level of risk to our information and information systems.  What we cannot reduce or eliminate we must accept.  Much like the Age of Exploration, the Information Age is fraught with pitfalls and unknowns.  The mariners of old stocked their ships with the materials they might need should the unexpected come up.  They did what they could to minimize the impact of unforeseen circumstances and continued onward.  We should take a lesson from them and continue onward.