Information security based on risk not fear


Fear drives the cybersecurity initiatives deployed by most organizations, but that means spending lots of money and resources trying to achieve something where failure is the only outcome. It is simply not possible to completely prevent hackers getting in. Instead information security should be based on risk, with multiple levels to protect different types of data, and multiple strategies to deal with different stages of an attack.

Some of the most prominent stories in information security over the past few years have involved huge breaches of large corporations; the massive theft of data is seemingly becoming an everyday occurrence. This means we are witnessing a huge change in the once-neglected realm of cybersecurity.

The main problem, writes Keith Lawman for Tripwire, is that most IT security departments have been set up as a reactionary measure. Organizations have reacted to news stories of the latest breach with terror and a feeling of dread that they could be next. Fear of reprisals, termination and exposure focus organizations on preventing what has already happened and, even worse, promote a negative connotation towards data accessibility.

As the personal, financial and professional implications of data breaches have expanded over time, regulatory agencies have been set up to protect this data and consequences laid out for companies that fail to abide by them. This is all well and good, but simple compliance isn't enough. While compliance measures do remove some of the negativity regarding information security, the unintended consequences are that all too often security is based on compliance measures and not the actual risk. A problem with this is that the mentality becomes a simplified focus on access prevention – which is no guarantee of safety.

It is neither 100% feasible to protect every part of the perimeter nor financially possible to do so. The goal is simply to recognize that there is a risk involved. The focus, therefore, should be on identifying and quantifying the financial impacts of any potential breach. A multi-tiered approach is the logical outcome of this realization – where certain risks are offset by a defined identification program rather than by any particular preventative platform.

The bar to this kind of approach is that an overhaul of the organization's data structure is required to accurately classify and recognize the information held. Not all high-tech exploits can be offset with high tech solutions. For example, in a number of recent high-profile breaches, access was gained through compromised privileged user accounts.

A good analogy to use is a typical household. Of course you are going to lock all the perimeter doors and windows. However, this doesn't guarantee that a determined attacker will be prevented from gaining access. You might then install a security system to inform when a breach occurs and limit the amount of time the 'house' is exposed. Furthermore, you might keep certain valuables locked away in a secure safe hidden inside the house. Even then, an insurance policy is often a good idea to help if all else fails.


·         Many organizations adopt a reactionary and regulatory compliant approach to cybersecurity

·         This is a simplified approach which involves trying to stop hackers at the perimeter

·         This is not feasible, so what is needed is a multi-tiered approach

·         This involves classifying data according to risk and using appropriate defenses to protect different risk levels

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."