What do we actually do in Security?
When you provide the absolute best security to a client, what is the result? What changes for that client? The answer is: nothing.
Think about it. Security stops bad things from happening. So when we as security practitioners do the best job possible, there's no result to point to. Often, those who value security the most are those who didn't follow security rules - and got burned.
The fact that when security works, nothing happens, is a problem. Management doesn't always know what we do. Even worse, employees often don't understand what we're asking them to do.
Five Security Areas
That's where the concept of five areas of security comes in handy. Vigitrust came up with the five pillar approach, and while my own approach is somewhat different, I want to give credit where credit is due. It's a genius way of explaining what security is about.
The five areas of security are:
Some people have more or less wordy ways of expressing those five areas, but these are the key areas. So let's go through them now.
People are our most important asset, so it's appropriate that they be first on the list. For most employees, their first brush will be with people security. They'll be screened (even if it's a simple reference check) to see if they would make a good employee. And if there are ever any concerns about an employee's behavior - well, that's people security too.
If you've worked in Security for a long time, you might remember the pre-computer days. Back in those days, it was all about files and briefcases. Computers changed the world. Today, IT security is probably our most important tool.
Key business records are now stored digitally. That makes IT systems a constant target. Usually a phishing message will open up a way into those systems. The result can be theft, fraud or ransomware. Phishing and IT fraud is always evolving. You need to train employees in security critical thinking: the art and science of making smart security decisions.
Everyone works somewhere. Your workspace may be your home. It may be an office. It may be one hotel after another. Wherever you work, there are going to be security considerations.
You can think of security in a traditional office using the nesting doll idea. The biggest doll (the one the others fit into) is the least secure. We add more layers of security with every doll. The doll at the center is thus the most secure.
When building an office space, it's best to add security as part of the design. But if employees are working from home, they will have to help add layers of security. Do they have sensitive files? Then maybe they need a secure container. Is the desk right next to a window? Maybe they need a privacy screen for their laptops. One good way to do this is to create a security checklist for different environments.
You might be wondering why information isn't part of IT. For one thing, information isn't always IT related. Prototypes can contain sensitive information. Conversations between employees can contain sensitive information. So can documents, spreadsheets, project plans, text messages, video calls and phone calls.
Human beings are natural information sharers: we're social beings. That's why it's so important to set boundaries on what can share and what we can't. The tool I recommend is the Traffic Light Protocol (TLP). It's a tool to help employees understand when it is and isn't OK to share information. In order, the levels are:
Standard security rules prevent things from going wrong. What happens when they go wrong anyway? Security in an emergency is about two things.
First, it's getting your employees through the emergency. In the case of a fire in a building, that means having a clear command structure and an evacuation plan. In the case of a corporate hack, that means having an IT Security lead ready to spring into action.
I said that security in an emergency has two aspects. The first is about helping your employees. The second is about getting your business through the emergency. This is often called Business Continuity Planning. A business continuity plan shows you exactly what you need to do to keep your business functioning. It also tells you how long they can be offline before business is impacted.
I like to think of the first part of Emergency planning as getting employees out of the building with the fire in it. The second part is about getting them back to work, somewhere else.
How the Five Areas Can Help
So what's the benefit of thinking of security in these five areas? I actually think it can help in three important ways.
There's a lot going on in security. The five areas show clients and employees that following security rules is easy.
It builds the security team
In a big security team, the IT shop may not realize how crucial the security of space shop is. (Hint: your servers are in a workspace.) Understanding the five areas can help security practitioners work better with their coworkers.
It shows that you can win
Learning about threats can be scary and overwhelming. Breaking security into five simple areas shows that we can achieve security at work - and it's not even that hard.