Some people talk about information security and others speak of physical security. Still others wonder what either of those subjects has to do with business. Rather than trying to shoehorn either of them into business, I’d prefer to introduce a new subject which I’ll call business security. Then hopefully nobody will ask what it has to do with business.
Every organization, whether military, governmental, civilian, public, or private, has a mission. The mission is the organization’s main reason for being. The mission is the core task the organization was created to accomplish. The army’s mission is to defend the country and to win the war. The government’s mission is to provide a fair and decent life for its citizens. A bank’s mission is to protect the assets entrusted to it and to provide its investors a decent rate of return on their investments in it. So on and so forth.
In order to realize and achieve the mission, the organization must translate it into one or more objectives. An objective is a task deemed necessary in order to accomplish a mission. A military objective might be to neutralize the enemy’s capacity to operate freely in the air, in the seas, or in cyberspace. A government objective might be to get re-elected or to ensure fair elections. A bank’s objective might be to allow online services to its customers or to open up new branches in emerging markets. Objectives are more specific than missions but they are still not specific enough to implement in an efficient and consistent manner.
Objectives are further translated into well-defined processes and procedures that may be manually performed or automated with the help of technology.
Assets are things of value to an organization that it purchases or develops in order to achieve its objectives or mission. Assets may be tangible, like ships, planes, tanks, buildings, and computers, or intangible, like ideas, data, or software. A military asset may also be a soldier or a spy. Non-military assets may be converted into monetary terms and back. The value of a non-military asset may range from less than a cent to more than a billion dollars. It doesn’t make good business sense to lump all assets together and treat them the same. For instance it wouldn’t make sense to apply a $100,000,000 process to a $1 asset, unless that process applied to 100,000,000 of those assets. Assets should be treated in accordance with their value; however, value can be a tricky concept. It can depend on who’s evaluating. It might represent the cost to develop or purchase an asset back then. It might be the cost to replace it now. It might be what it’s currently worth after depreciation. It might be the market value after being processed and packaged or the value to a customer. It might have a certain value when stolen, exposed, copied, modified, or destroyed. These are damage values. Damage values can involve litigation or be punitive in nature.
Nobody has discovered a sure-fire way to make money. All business activities entail a degree of risk. Nothing ventured, nothing gained. It’s quite likely that the degree of expected profits equals the degree of risk. Risks generally attach themselves to assets, especially those assets that are not adequately protected. There are many different kinds of risk: financial risk, operational risk, security risk, geopolitical risk, natural risk (earthquakes, floods, hurricanes, asteroids, etc.), social risk, and the categories go on. All risks have the same basic attributes and deserve due consideration. The attributes of risks are the probability or frequency of occurrence and the damage value of an occurrence to one or more assets. It makes sense for an organization to consider its top ten assets and then consider the top ten risks in each of the risk categories against each of those ten assets, taking into account the probability or frequency of occurrence and the potential damage value.
At this point I only want to talk about security risks because that is my specialty. If you want to know more about the other risk categories, call an actuarial accountant. There are three kinds of security risks: risks to the confidentiality of an asset, risks to the integrity of an asset, and risks to the availability of an asset.
A risk to confidentiality of an asset may come from an intruder stealing or intercepting a container or a transmission with a secret or sensitive document, or injecting spyware or malware to exfiltrate a database of credit card data or operational plans.
A risk to the integrity of an asset may come from deliberately or accidentally breaking a computer screen or keyboard, or injecting a destructive or corrupting virus or malware into a document or software.
A risk to the availability of an asset may come from blocking all entrances to a building, blowing it up, or burning it down, or organizing a distributed denial of service or spam attack on an organization’s web or email site, or injecting ransomware to encrypt files so they can’t be accessed or used unless the victim pays a ransom.
Each security risk could be expanded into many more examples, but there are only three kinds. Once again, it makes sense for an organization to consider its top ten assets and then consider the top ten security risks in each of the security sub-categories (confidentiality, integrity, and availability) against each of those ten assets, taking into account the probability or frequency of occurrence and the potential damage value.
Risks may be reduced, avoided, transferred, or accepted, but they cannot be ignored without appearing negligent in the eyes of regulators, stakeholders, and customers. That goes for security risks too.
A control is something that works alone or in concert with other controls to deal with one or more risks. There are three kinds of security controls: those that detect risks, threats, vulnerabilities, or exploits, those that prevent exploits, and those that correct damages resulting from successful exploits. Some controls can detect risks, threats, and exploits before they reach the organization while others can only detect risks, threats, and exploits after they have reached the organization or those that have originated from within the organization. Some controls can prevent exploits before they reach your organization and others can only prevent exploits from within the boundaries of your organization. Corrective controls only work after the damage has occurred.
Detective security controls may include police detectives, security guards, security cameras, sensors, alarm systems, intrusion detection systems, tripwire systems, identity management systems, honey pots and honey nets, sandboxes, security logs, security information event management software, risk management procedures, security incident response procedures, forensic procedures, cyber intelligence, situational awareness, security policies, security managers, security procedures, and more.
Preventative security controls may include walls, doors, locks, the armed forces, security guards, firewalls, access control lists, identity and access management systems, white lists, black lists, adaptive networks, intrusion prevention systems, anti-virus and anti-malware software, encryption/decryption systems, sandboxes, 2- or 3-factor authentication systems, security policies, security managers, security procedures, security training, and more.
Corrective security controls may include backup/recovery systems, disaster recovery and business continuity plans, redundancy, clustering, replication, self-correcting networks, error correcting memory and disks, security policies, security managers, security procedures, etc.
The thing about controls is that it doesn’t make sense to spend more on them than the value of the assets being protected. That implies you had better know the value of your assets in order to apply appropriate controls. That, in turn, requires that you know what assets you have in your organization, at least the top ten or so. Many organizations don’t know what their top assets are. The consensus seems to be that instead of going through the effort of inventorying the assets, let’s just defend everything. Frederick the Great of Prussia was reputed to have said “He who defends everything defends nothing”. It invariably costs more to protect everything than it does to protect just the assets that justify the cost and it’s often inadequate for protecting the most valuable assets.
In summary, business security does not exist in a vacuum. It is part of the cost of doing business.