Running With Scissors…Security, Survivability, Management, Resilience…Whatever!
Mom always told me not to run with scissors because she knew that ugly things might happen if I did. I seem to have blocked this advice out of my psyche. Running with scissors can be exhilarating.
My latest set of posts represent the equivalent of blogging with scissors, it seems.
Sadly, sometimes one of the only ways to get people to
intelligently engage in contentious discourse on a critical element of our
profession is to bait them into a game of definitional semantics;
basically pushing buttons and debating nuance to finally arrive at the
destination of an "AHA! moment."
Either that, or I just suck at making a point and have to go through all the machinations to arrive at consensus. I’m the first to admit that I often times find myself misunderstood, but I’ve come to take this with a grain of salt and try to learn from my mistakes.
I don’t conspire to be tricky or otherwise employ cunning or guile to goad people with the goal of somehow making them look foolish, but rather have discussions that need to be had. You’ll just have to take my word on that. Or not.
You Say Potato, I say Po-ta-toe…
There are a number of you smart cookies who have been reading my posts on Information Survivability and have asked a set of very similar questions that are really insightful and provoke exactly the sort of discussion I had hoped for.
Interestingly, folks continue to argue definitional semantics without realizing that we’re mostly saying the same thing. Most of you bristling really aren’t pushing back on the functional aspects of Information Security vs. Information Survivability. Rather, it seems that you’ve become mired in the selection of words rather than the meme.
What do I mean? Folks are spending far too much time debating which verb/noun to use to describe what we do and we’re talking past each other. Granted, a lot of this is my fault for the way I choose to stage the debate and given this medium, it’s hard to sometimes re-focus the conversation because it becomes so fragmented.
Rich Mogull posted a great set of commentary on this titled "Information Security vs. Information Survivability: Retaking Our Vocabulary." wherein he eloquently rounds this out:
The problem is that we’ve lost control of our own vocabulary.
“Information security” as a term has come to define merely a fraction
of its intended scope.Thus we have to use terms like security risk management and
information survivability to re-define ourselves, despite having a
completely suitable term available to us. It’s like the battle between
the words “hacker” and “cracker”. We’ve lost that fight with
“information security”, and thus need to use new language to advance
the discussion of our field.When Chris, myself, and others talk about “information
survivability” or whatever other terms we’ll come up with, it’s not
because we’re trying to redefine our practice or industry, it’s because
we’re trying to bring security back to its core principles. Since we’ve
lost control of the vocabulary we should be using, we need to introduce
a new vocabulary just to get people thinking differently.
As usual, Rich follows up and tries to smooth this all out. I’m really glad he did because the commentary that followed showed exactly the behavior I am referring to in two parts. This was from a comment left on Rich’s post. It’s not meant to single out the author but is awkwardly profound in its relevance:
[1] This is the crux of the biscuit. Thanks for saying this. I don’t
like the word “survivability” for the pessimistic connotations it has,
as you pointed out. I also think it’s a subset of information security,
not the other way around.
I can’t possibly fathom how one would suggest that Survivability, which encompasses risk management, resilience and classical CIA assurance with an overarching shift in business-integrated perspective, can be thought of as a subset of a narrow, technically-focused practice like that which Information Security has become. There’s not much I can say more than I already have on this topic.
[2] Now, if you wanted to go up a level to *information management*,
where you were concerned not only with getting the data to where it
needs to be at the right time, but also with getting *enough* data, and
the *right* data, then I would buy that as a superset of information
security. Information management also includes the practices of
retaining the right information for as long as it’s needed and no
longer, and reducing duplication of information. It includes deciding
which information to release and which to keep private. It includes a
whole lot more than just security.
Um, that’s what Information Survivability *is.* That’s not what Information Security has become, however, as the author clearly points out. This is like some sort of weird passive-aggressive recursion.
So what this really means is that people are really not disagreeing that the functional definition of Information Security is outmoded, but they just don’t like the term survivability. Fine! Call it what you will: Information Resilience, Information Management, Information Assurance, but here’s why:
you can’t call it Information Security (from Lance’s comment here):
It seems like the focus here is less on technology, and more on process
and risk management. How is this approach from ISO 27000, or any other
ISMS? You use the word survivability instead of business process,
however other then that it seems more similar then different.
That’s right. It’s not a technology-only focus. Survivability (or whatever you’d like to call it) focuses on integrating risk assessment and risk management concepts with business blueprinting/business process modeling and applying just the right amount of Information Security where, when and how needed to align to the risk tolerance (I dare not say "appetite") of the business.
In a "scientific" taste test, 7/10 information security programs are focused on compliance and managing threats and vulnerabilities. They don’t holistically integrate and manage risk. They deploy a bunch of boxes using a cost-model that absolutely sucks donkey… See Gunnar’s posts on the matter.
There are more similarities than differences in many cases, but the reality is that most people today in our profession completely abuse the use of the term "risk." Not intentionally, mind you, but due to the same reason Information Security has been bastardized and spread liberally like some great mitigation marmalade across the toasty canvas of our profession.
The short of this is that you can playfully toy with putting lipstick on a pig (which I did for argument’s sake) and call what you do anything you like.
However, unless what you do, regardless of what you call it and no matter how much "difference" you seem to think you make, isn’t in alignment with the strategic initiatives of the company, your function over time becomes irrelevant. Or at least a giant speedbump.
Time for Jiu Jitsu practice! With Scissors!
/Hoff
Okay. Hoff, you're a great guy, but you're taking on a very big resemblance to Humpty Dumpty from Alice's Adventures Through the Looking Glass. Go ahead and make "survivability" include record retention, de-duping and data quality if you like, but I think that's just plain silly. Nobody would ever use "survivability" in that context for any other situation. Does the "survivability" of a plane trip include the reason why you're traveling?
You've got a fine idea, but you've got it associated with a stupid name that you're infatuated with. Why does the name matter, you ask? Well, if it doesn't matter, why aren't you willing to change it?
I think it's because you're trying to market it as a brand (that's why you changed the name of your blog). If your idea is a good one, it shouldn't matter whether we still call it Information Security Done Right or whatever.
I say that Information Security Done Right encompasses "risk management, resilience and classical CIA assurance with an overarching shift in business-integrated perspective." I don't think it encompasses whether you are getting a large enough statistical sample to make your data valuable to your customers, or whether you have twenty-five copies of the same file, wasting storage space. Those have nothing to do with security OR survivability.
So why are we having this argument? It's because you care about the word every bit as much as I do. If you didn't, you'd be happy just to say "Here's the other things we should be doing in security order to do our jobs, besides checking compliance boxes and fondling DLP appliances."
I know, I know, coming up with a whole new brand and selling it as a paradigm shift is a lot sexier. Go for it, stud.
Shrdlu:
I'm willing to choose and use "survivability" for the exact same reason you chose to use "management" in your comment. Kettle? Pot here…
Because security as we've both laid it out is ill-defined based upon both perception and reality. I happen to like the concepts which survivability represents.
A follow-on post will actually soon show that the authors of the paper I referenced now gather their efforts under the "resilience and governance" moniker. Does that invalidate their theories? Hardly. They're just as timely today.
I may decide to change it tomorrow if I find a better way of expressing my views. I'm neither infatuated or confused. It's really quite simple.
As Rich said:
"When Chris, myself, and others talk about “information survivability” or whatever other terms we’ll come up with, it’s not because we’re trying to redefine our practice or industry, it’s because we’re trying to bring security back to its core principles. Since we’ve lost control of the vocabulary we should be using, we need to introduce a new vocabulary just to get people thinking differently."
You thanked him for this clarification and whilst I've used the same one, yet you want to scrap? Hey, that's cool. Odd, but your choice.
I've already said "Here's the other things we should be doing in security order to do our jobs, besides checking compliance boxes and fondling DLP appliances." So has everyone else. A thousand times. Look where that has gotten us.
Nowhere.
Care to suggest how much impact that's made or how many people may have thought — even for a moment — differently about what they do and why?
If you don't think selling security is a requirement, you're lying to me and yourself. It has nothing to do with sex appeal, it has everything to do with relevancy.
Look, if you want to stand up and declare "I have all this stuff handled and I'm an exception to your generalization," then I think that's fantastic and I laud your efforts and achievements.
My background, my exposure to customers globally and my experience suggest you're in the fringes of the minority if that's the case.
You're choosing to continue to debate something that I've already admitted to using as an illustrative prop. May I kindly suggest that the "what do you call it" horse is beaten already?
I didn't know I was a "stud"…
Thanks.
/Hoff
A picture for your collection: http://images.barnesandnoble.com/images/11640000/…
NICE! Thanks, Paul.
😉