Chris Hoff and I (and a few others, like Adrian Lane and Gu
er Peterson) have started waxing philosophic quite a bit lately. From debates over Jericho to emotional rants on staying motivated in security, to the security vs. survivability debate, we’ve strayed from our more practical advice and wandered into the land of coffee shops, security jazz, and stupid black berets on our heads.
While I realize many of you just want advice on how to secure virtualization, or which DLP tool to buy, these discussions are more than simple intellectual masturbation or self-promotional BS. We work in a complex profession that’s constantly challenged to manage the baggage of the past while preparing for a nebulous future. It’s just as important to gut check how we’re doing today and plan for the future as it is to keep the bad guys out today.
I’m working on a longer post for tomorrow on security and innovation, but today Hoff posted his primer on information security vs. information survivability. In it, he uses part of a discussion we had on the phone earlier this week:
It’s very important to recognize that I’m not saying that Information Security is “wrong” or that the operational practitioners that are in the trenches every day fighting what they perceive to be the “good fight” are doing anything wrong. However, and as Rich Mogull so eloqently described, we’ve lost the language to describe what it is we should be doing and the title, scope, definition and mission of “Information Security” has not kept up with the evolution of business, culture, technology or economics.
I’d like to elaborate for a moment on what I said during that call.
I (and I believe Chris) firmly believe that information security is the correct term for what we do. “Survivability” conjures images in my head of scrambling, half-starved proto-mammals clinging to the underbrush as the predators roam the jungle. Survival is little more than the process of not dying. A noble goal, but sometimes a half-rodent wants a little more out of life.
“Security” brings images of the predators. No, scrap that, not a mangy predator forever hunting for that next meal, but the farmer (with a well armed security force) that merely needs to wander over to the barn with an axe for a full belly. According to the dictionary, security is the state of being free from danger or threat. The definition of survivable is “not fatal”.
The problem is that we’ve lost control of our own vocabulary. “Information security” as a term has come to define merely a fraction of its intended scope.
Thus we have to use terms like security risk management and information survivability to re-define ourselves, despite having a completely suitable term available to us. It’s like the battle between the words “hacker” and “cracker”. We’ve lost that fight with “information security”, and thus need to use new language to advance the discussion of our field.
When Chris, myself, and others talk about “information survivability” or whatever other terms we’ll come up with, it’s not because we’re trying to redefine our practice or industry, it’s because we’re trying to bring security back to its core principles. Since we’ve lost control of the vocabulary we should be using, we need to introduce a new vocabulary just to get people thinking differently.
To me this is all security, but I fully recognize that to break us out of bad habits, we need to break in with some new language to retake control of our profession and mission.
Reader interactions
2 Replies to “Information Security vs. Information Survivability: Retaking Our Vocabulary”
[…] information security. But this is a great example of what Hoff and I have been ranting on about the loss of the term information security, which in some circles only represents AV and firewalls. If that’s your definition of […]
The problem is that we’ve lost control of our own vocabulary. “Information security” as a term has come to define merely a fraction of its intended scope.
This is the crux of the biscuit. Thanks for saying this. I don’‘t like the word “survivability” for the pessimistic connotations it has, as you pointed out. I also think it’s a subset of information security, not the other way around.
Now, if you wanted to go up a level to *information management*, where you were concerned not only with getting the data to where it needs to be at the right time, but also with getting *enough* data, and the *right* data, then I would buy that as a superset of information security. Information management also includes the practices of retaining the right information for as long as it’s needed and no longer, and reducing duplication of information. It includes deciding which information to release and which to keep private. It includes a whole lot more than just security.