The Road Goes Ever On and On...

It is a Journey

What is security? How can I be secure? How will I know my systems are secure? I was compliant with the regulations, how was I able to be hacked?

Over the years these questions have come up in one form or another. Now the conversations have been with different people and in different contexts. At first I was a bit dismayed that we are still struggling with the concept of security but the more I thought about it the more I welcomed the opportunity to address this topic.

We are what we repeatedly do. Excellence, then, is not an act, but a habit.

~ Aristotle

Let’s face it, most, if not all, of us are results oriented people. We like to have tasks with a clearly defined start, clearly defined milestones, and a clearly defined ending. The problem is that information security doesn’t fit this model of the world. It isn’t so much a state as it is a state of mind.

I personally don’t believe there is any such thing as a secure system and for a while there was pretty much consensus among the people I knew. That was until I was sitting in a meeting the other day with someone who said “We can make your systems 100% secure, the problem is that it is cost prohibitive.” Needless to say I don’t agree with statement. The amount that you spend on information security should be commensurate with the value of the information being protected. As I said before Information Security isn’t so much a state as it is a state of mind.

We can do all the right things but there is still no guarantee that our systems are, or ever will be totally secure. At any time we may fall victim to a zero-day exploit or a malicious insider or simple user error. We can implement technical controls to limit this possibility but we cannot limit it all together. It just isn’t possible.

Let me leave you with two quotes. The first is from Dr. Eugene Spafford of Purdue University.

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

~ Dr. Eugene Spafford

And the second may be original. I’m not sure if I made this one up or if I heard it somewhere. I’ll claim it for now but if anyone can cite another source please let me know. Either way I think it is an accurate depiction of our goal to seek a totally secure system.

Imagine a line with a point on either end. Point A is a totally unsecure system and Point B is the theoretical totally secure system. As we start our journey from Point A to Point B the furthest we can travel is half the distance. That is the best we can do so we travel half way, then half way again, then halfway again. If we keep going half the distance between where we are and Point B we will never actually reach Point B. Granted we are a lot closer than we were when we started but we still never reach our destination. Since we can never really reach our destination we must focus on the journey itself. Information Security is like that.

~ Graydon McKee

About Graydon McKee:

Graydon McKee is a experienced Information Security Executive with a unique and diverse background. Graydon’s career has taken him from the position of help desk support to the boardrooms of some of the world’s largest and greatest companies. Along the way, he has learned that protecting information goes well beyond technical solutions in the datacenter and extends into business processes and the people who bring life to a company’s goals and dreams.

Graydon’s journey has been diverse in both size in scope. Graydon has experience in global markets and multiple industries such as Consumer Electronics, Printing and Packaging, Consulting, Overseas Manufacturing, Software Development and Distribution, Finance, Education, and the Public Sector. In addition to his knowledge of information security, his strengths include strategic planning, motivating and empowering others, building effective global teams, problem solving and adapting to challenging dynamic environments. His expertise has lead to him being sought out by the likes of Apple and Microsoft to help them protect their tightest held corporate secrets in order to protect their competitive advantage.

Follow Graydon to receive all his articles!