Security - A Primer for the Business

If you are new to Security, it can be confusing, full of technical jargon and occasionally sneery as technical folks can be when newcomers don't immediately understand their TLAs (three letter acronyms). It took me a good 15 years in the business NOT to be fazed by engineers spouting gobbledygook at me, and yet I am still guilty of it. At a time when I'm trying to pitch a complex idea in the simplest terms possible I know that people still find what I'm saying hard to digest. I was speaking to the inspirational Melanie Oldham of Bob's Business last week and she very kindly said "you might need to work on simplifying what you're saying, I'm in Security and I struggled to understand it". I'm acutely aware of this, and we have stopped sales activities recently to focus on messaging and marketing.

I'm taking this back to grass roots to explain not only what Security is, but how we do it, to help understand the "why" - Simon Sinek, eat your heart out.

I am old enough to remember IT before Security was a thing, before the Internet existed (my kids do not believe this, in the same way I find it hard to imagine the rag and bone man on a horse and cart my mother refers to). We just didn't know then that the computers we used to play games and write "hello world!" on would become mines of information, or as we tend to refer to them now, like we are Cold War spies "Assets".

101

In the simplest of terms, our Assets are continually under threat because they have value.

Without any Security in place, Assets are completely exposed. So what does Security look like? Initially it was an IT person, putting firewalls in, sometimes other controls, but rarely a coherent set of processes.

Over time we learnt that firewalls were not enough, control estates became increasingly complex and siloed. Between 1999 when I started in IT Security and 2006 when I became a Consultant for the first time, the set of controls had become so complex that BSI and ISO had set out required standards to try and drive people to a "correct" set of controls. These eventually combined to become the default set of baseline security controls known as ISO27001. I've said it before, and I'll say it again: I'm not a fan.

Why am I not a fan though? Surely this guidance created a standard approach to Security, and all threats were immediately rendered powerless?

Clearly not. Whilst the intent behind compliance is sound, the practical implications are often damaging. The focus on a binary yes/no for controls existing means that the way these controls are implemented is not considered. Around the same time as ISO27001 was bedding down as a single standard, GCHQ was setting in motion IS1/2 - a risk management approach that was intended to take Security to the next level - examining the risks to assets, mapping controls and highlighting where the gaps were, whether in existing control configuration or a lack of controls altogether.

To me, at the time, this was magic. I worked as a CLAS consultant for 5 years or so, primarily on the Passport Office account, protecting highly sensitive data. I am still proud of gaining accreditation for every system within it over my time there. This is not just because of the robustness of the systems, but the blood, sweat and tears it took to get meaning out of methodology. In short, any methodology can become incredibly complex if used incorrectly. It's a tool that can simplify, but used incorrectly creates chaos. I'm minded of the George Box quote:

"All models are wrong, but some are useful"

I can confidently say that by the mid-2010s my understanding of Security had become confused and probably less than when I was an engineer in the early 2000s. I remember long conversations with my Head of Risk about how Security Risk should be represented, what the right level was, what values to use. We eventually decided that it was mainly guess work, and putting values against it was worthless. For me, a Physicist by education and a logician at heart, this was the closest I've been to wanting to quit a field, but I'm also stubborn and pedantic, so I pressed on.

I will continue tomorrow with the story of how...