Because information security, in its current state, tends to attract its share of negativity and dramatic rumors, our first goal before beginning this journey is to clear our minds of the programming we have received thus far and start with a clean slate. Approaching security with a bad attitude makes it far more difficult to accomplish our goals. So, let's quickly mention a fact that people rarely discuss:
Sound too good to be true? Practicing information security is just like practicing anything else in this world; there are good ways and bad ways of going about it. This book is designed to direct the reader to one of the good ways for practicing security. I say "one of the good ways" because there are indeed many different ways to think about and address security, and many of them are very good. This book simply chooses one of the most effective methods that is applicable to the widest variety of organizations.
Erasing the Programming Around Us
Good security practices mean nothing, of course, if no one hears, understands, or follows them. When starting, one of the most important components of mobilizing an entire organization to follow good information security practices is to vaporize the negative programming about security. From cover to cover, one of our goals in becoming secure is to convince ourselves and those around us that information security does not have to be a great burden. End-users and upper management are extremely prone to negative ideas about security since they are exposed to them day in and day out. How many companies have spent millions on security measures, only to inhibit their daily business practices? How many departments have had to switch to complex and obscure operational practices when security was introduced to the environment? This is somewhere in the minds of most individuals when they hear the word "security." The term "security" is often wrongly considered synonymous with the term "burden."
If a security practice is a great burden, then something is wrong. Security is not effective if it overburdens the end-users or overtaxes the organization's resources. Information security is far too entwined with the human and business aspects of an organization to simply focus on the technologies and policies and not their effects on everything else. Most people know this. But what most don't realize is that security, when applied properly, does not have to impair operations or business.
Later in this book, I will discuss some techniques for seeing ourselves through the eyes of a hacker. In the beginning, however, we really need to focus on knowing our organizations through the eyes of the owners, customers, and investors. Proper security always reflects the environment it is applied to, its assets, goals, and capabilities. Security cannot be accomplished without first having an understanding of who we are and what we do. We do not need a degree in business analysis, but we do need to be tuned into the company's motives and operations, more so than one may think an IT employee would.
Knowing ourselves at this level does not mean we need to search the entire complex and figure out what every switch and knob does. Our goal is far less formal and more effective. We simply need to talk to people. Here are some suggestions for anyone wanting to practice information security within their organization or within their client's organization.
Some Important Information to Know
This is a short list, but it should cover the main information we need to get started:
Where to Get This Information
The information listed above can be discovered in several different ways. This is where we put on our detective hats; only we don't need to go diving into any dumpsters for information, since there are many readily available sources for answering our questions. Remember as we go forward that the more human interaction we have, the better. Security is always an interactive process, and it is essential that we make contact with as many people in as many roles as possible. The more people we are on good terms with, the more allies we will have when fighting the security battle. Here are some good sources to find key information about your organization.
Knowing We Are Ready
Take another deep breath. Having cleared our minds of negative programming and learned a little about the environment, we are now ready to move forward. The basic understanding derived from these previous few pages has already put us way ahead of the majority of information security practices going on in the world. By coming to a clearer understanding of the environment and removing some of the misnomers that negatively affect progress, we will easily overcome many of the obstacles that trip up other security practitioners. Now, let's dig a little deeper.