Three’s a Charm

Dec. 11, 2014
Get to know these pillars of IT security

We’ve all heard the saying: third time’s a charm.  My Irish forebears loved telling the story of Saint Patrick and how he was able to explain the Holy Trinity to the island’s primitive inhabitants by using a shamrock instead of the expected PowerPoint presentation.  The Chinese consider three a lucky number; the reason cited most often is that this numeral represents the major stages of life: birth, marriage, and death.  Ancient Egyptians referred to great leaders as “thrice-great”, and early Roman funeral ceremonies called out the deceased’s name three distinct times.

The information security profession has some pretty neat triads as well.  I should know.  I ended up writing a book about them.  One of the triads we reference often represents the three categories of security safeguards (or ‘countermeasures’ in some models): technology, policy/process, and human factors (sometimes noted as the ‘people’ factor).  Synchronizing your safeguards across all three categories is truly the art form that ultimately defines for the savvy security professional.

However, it’s no uncommon to see the emphasis shift among preferred controls.  If you spend any amount of time listening to industry watchdogs and Wall Street, you could be excused from having the perception that cyber security (as it’s now popularly called) is all about attack and defend technology.  The industry that started as simple password controls and spawned the first basic firewalls for the inchoate Internet in the 1980s has now exploded into multi-billion-dollar companies with dozens of technology products.  Additionally, there is still a vast army of small vendors and start-ups aiming for the “next big thing” in cyber security.

Seemingly lost in the cacophony of mergers, acquisitions, stock options, and geek talk are the less enthralling elements of process and people.  When it comes to people, many assume the safeguards are centered on awareness training, posters, and corporate proclamations on the importance of computer hygiene.  The people component plays a much more comprehensive role than that, but surely the true unsung heroes of our business are the ones who help us design policies and process.

I was recently visiting with a client who heard about the importance of policies and process for protecting critical data resources, and immediately began to declaim that his company didn’t really like those messy and indecipherable aspects of security.  Apparently, for his organization, codifying processes was considered an anachronistic vestige of a bygone era that started with Guttenberg and ended with Steve Jobs.  I smiled as I felt the substantial heft of the standards and guidelines weighing down my briefcase.  They may seem cumbersome, and some even consider them outdated.  However, processes and standards are central to ensuring your security program can support all that fancy, new technology you’re buying -- and don’t forget the humans, too!

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].