golden gooseWhile attending this year’s Infosec show I was suddenly struck with the thought that Information Security has become the new Golden Goose for the IT industry.  The vast number of impressive exhibitor stands, professional presentations and the prevalence of suits as the preferred attire for the attendees demonstrated that information security is now a primary concern for senior IT and business executives, as well as IT vendors.
After a number of lean years post Y2K and the bursting of the Dot Com bubble, it appears that IT security is providing IT service suppliers, vendors and resellers with a new market in which to generate more revenue.  A few years ago trying to find someone with information security expertise was difficult, nowadays it appears that every reseller, vendor and consultant seems to be offering solutions and advice to companies on how to secure their computing infrastructure.   The company, who sold you printers a few years ago, will now also sell you security solutions.  Coverage of information security is increasing in both industry and mainstream press with more and more column inches being devoted to the subject.

Surely making IT security a commodity and the increasing awareness of the issue can only be good for the information security field?  Sadly, I am finding the opposite to be true.  In my experience information technology, and not just information security, is still viewed by many businesses, particularly in the SME sector, as a necessary evil and a black-hole consuming money. This mistrust and the lack of understanding of technology is further compounded by these same business people not understanding information security.  They understand other risks facing their business such as theft or fire as they have more tangible references based on experience, but information security is not so tangible.  It is viewed as a technology problem and compounding the issue, most IT professionals treat it as a technical problem requiring a fix rather than a continually managed process.

The main core of the problem is the lack of distinction between IT security and information security.  At its most basic form, IT security is simply protecting the IT infrastructure and ensuring its availability.  Simply put, if it breaks then fix it.   Information Security is ensuring the information the company relies on is protected and available within acceptable levels of predefined risk.  That information can take many forms with more and more of it being stored electronically on the IT infrastructure, but this does not mean that information security and IT security are one and the same.   

If we now add into the mix vendors, consultants and resellers who see an opportunity to make money and who themselves may not fully understand the difference between information and IT security, we now have a situation where everyone is more aware of IT security issues but without understanding properly the intricacies relating to information security.  Instead the focus is often on the symptoms of the problem rather than the underlying cause, resulting in everyone looking for solutions without actually understanding and addressing the problem.  Vendors and resellers are only too happy to sell products and services which provide solutions, that after all is their job.  However if the underlying problem is not properly identified and addressed then these solutions will not deliver the expected results.

Increasing the awareness of information security with business and IT professionals alike can only prove to be a positive thing, but this awareness needs to be tempered, directed and managed properly.  We need to step away from the product hype and the scare stories and remind ourselves what it is as information security professionals we are trying to achieve.  We need to ensure that people don’t focus solely on technological solutions but also take in the other elements of a good information security architecture; people and process.  Taking a holistic view to information security will help us all ensure the goose will keep on laying those eggs for the foreseeable future.