Running With Scissors…Security, Survivability, Management, Resilience…Whatever!
Mom always told me not to run with scissors because she knew that ugly things might happen if I did. I seem to have blocked this advice out of my psyche. Running with scissors can be exhilarating.
My latest set of posts represent the equivalent of blogging with scissors, it seems.
Sadly, sometimes one of the only ways to get people to
intelligently engage in contentious discourse on a critical element of our
profession is to bait them into a game of definitional semantics;
basically pushing buttons and debating nuance to finally arrive at the
destination of an "AHA! moment."
Either that, or I just suck at making a point and have to go through all the machinations to arrive at consensus. I’m the first to admit that I often times find myself misunderstood, but I’ve come to take this with a grain of salt and try to learn from my mistakes.
I don’t conspire to be tricky or otherwise employ cunning or guile to goad people with the goal of somehow making them look foolish, but rather have discussions that need to be had. You’ll just have to take my word on that. Or not.
You Say Potato, I say Po-ta-toe…
There are a number of you smart cookies who have been reading my posts on Information Survivability and have asked a set of very similar questions that are really insightful and provoke exactly the sort of discussion I had hoped for.
Interestingly, folks continue to argue definitional semantics without realizing that we’re mostly saying the same thing. Most of you bristling really aren’t pushing back on the functional aspects of Information Security vs. Information Survivability. Rather, it seems that you’ve become mired in the selection of words rather than the meme.
What do I mean? Folks are spending far too much time debating which verb/noun to use to describe what we do and we’re talking past each other. Granted, a lot of this is my fault for the way I choose to stage the debate and given this medium, it’s hard to sometimes re-focus the conversation because it becomes so fragmented.
Rich Mogull posted a great set of commentary on this titled "Information Security vs. Information Survivability: Retaking Our Vocabulary." wherein he eloquently rounds this out:
The problem is that we’ve lost control of our own vocabulary.
“Information security” as a term has come to define merely a fraction
of its intended scope.
Thus we have to use terms like security risk management and
information survivability to re-define ourselves, despite having a
completely suitable term available to us. It’s like the battle between
the words “hacker” and “cracker”. We’ve lost that fight with
“information security”, and thus need to use new language to advance
the discussion of our field.
When Chris, myself, and others talk about “information
survivability” or whatever other terms we’ll come up with, it’s not
because we’re trying to redefine our practice or industry, it’s because
we’re trying to bring security back to its core principles. Since we’ve
lost control of the vocabulary we should be using, we need to introduce
a new vocabulary just to get people thinking differently.
As usual, Rich follows up and tries to smooth this all out. I’m really glad he did because the commentary that followed showed exactly the behavior I am referring to in two parts. This was from a comment left on Rich’s post. It’s not meant to single out the author but is awkwardly profound in its relevance:
 This is the crux of the biscuit. Thanks for saying this. I don’t
like the word “survivability” for the pessimistic connotations it has,
as you pointed out. I also think it’s a subset of information security,
not the other way around.
I can’t possibly fathom how one would suggest that Survivability, which encompasses risk management, resilience and classical CIA assurance with an overarching shift in business-integrated perspective, can be thought of as a subset of a narrow, technically-focused practice like that which Information Security has become. There’s not much I can say more than I already have on this topic.
 Now, if you wanted to go up a level to *information management*,
where you were concerned not only with getting the data to where it
needs to be at the right time, but also with getting *enough* data, and
the *right* data, then I would buy that as a superset of information
security. Information management also includes the practices of
retaining the right information for as long as it’s needed and no
longer, and reducing duplication of information. It includes deciding
which information to release and which to keep private. It includes a
whole lot more than just security.
Um, that’s what Information Survivability *is.* That’s not what Information Security has become, however, as the author clearly points out. This is like some sort of weird passive-aggressive recursion.
So what this really means is that people are really not disagreeing that the functional definition of Information Security is outmoded, but they just don’t like the term survivability. Fine! Call it what you will: Information Resilience, Information Management, Information Assurance, but here’s why:
you can’t call it Information Security (from Lance’s comment here):
It seems like the focus here is less on technology, and more on process
and risk management. How is this approach from ISO 27000, or any other
ISMS? You use the word survivability instead of business process,
however other then that it seems more similar then different.
That’s right. It’s not a technology-only focus. Survivability (or whatever you’d like to call it) focuses on integrating risk assessment and risk management concepts with business blueprinting/business process modeling and applying just the right amount of Information Security where, when and how needed to align to the risk tolerance (I dare not say "appetite") of the business.
In a "scientific" taste test, 7/10 information security programs are focused on compliance and managing threats and vulnerabilities. They don’t holistically integrate and manage risk. They deploy a bunch of boxes using a cost-model that absolutely sucks donkey… See Gunnar’s posts on the matter.
There are more similarities than differences in many cases, but the reality is that most people today in our profession completely abuse the use of the term "risk." Not intentionally, mind you, but due to the same reason Information Security has been bastardized and spread liberally like some great mitigation marmalade across the toasty canvas of our profession.
The short of this is that you can playfully toy with putting lipstick on a pig (which I did for argument’s sake) and call what you do anything you like.
However, unless what you do, regardless of what you call it and no matter how much "difference" you seem to think you make, isn’t in alignment with the strategic initiatives of the company, your function over time becomes irrelevant. Or at least a giant speedbump.
Time for Jiu Jitsu practice! With Scissors!