We recently discussed the tried-and-true CIA information security triad: Confidentiality (keeping secrets secret), Integrity (ensuring information is not modified) and Availability (keeping electronic doors open and IT shops humming).
Availability has become perhaps the most pressing post-9/11 security issue for network-centric firms. Today, responsibility for network availability is being moved from information security staff to others within the corporate organization. Other companies consider availability a part of business continuity.
What we see in too many organizations is turf building, budget grabbing and “stove-piping” – vertical building of a hierarchy within a company that has no contact with other divisions or departments. This is the antithesis of what is needed to meet modern, coordinated threats that transcend corporate-divined organizational boundaries.
A more modern security triad, CPP, redefines the three main areas of security:
- Cyber (computer, network and information security)
- Physical (the wires, silicon, glass and structures)
- People (employees, consultants, suppliers, partners and anyone in contact with your company)
Under this triad, stove-piping of responsibilities and functions creates unnecessary overlap, wasted resources and a mediocre security posture.
Availability should be dealt with in all three legs of the triad. Physical security is valuable and should be part of any serious security efforts, but it cannot be done in a vacuum. Availability is affected by people who can cause network availability to fail. Denial of service can also be network clogging, misbalanced traffic loads, too many MP3 or MPG downloads and viruses and worms, to name a few.
The best-run security organizations create a horizontal team of experts from many disciplines with a common goal: protect corporate physical and information assets from all forms of weakness and threat.
Top management needs to recognize that while security is made up of many discrete, often technical, pieces, ultimately strong security is created by strong management that understands the need for operational flexibility in the myriad environments that challenge us today.