A lot of people in Information Security think security means “stopping bad things from happening”. It’s understandable, given that we’ve been practicing it that way for decades now.
Basically, security has been synonymous with prevention for as long as most can remember, and that’s the way the entire industry is configured and oriented.
But there’s another, far deeper and more meaningful definition of the word that’s visible in the word itself.
The original Latin definition basically had security as a desired state of mind as opposed to a set of preventative measures, and we should get back to that.
I love the idea of pursuing the lack of worry for both business and society because it provides us options in a world where prevention isn’t always an option.
- How do you prevent pipe bombs in malls when there are 350 million people in an open society?
- How do you prevent code execution in a world where processors run anything by default and software companies are not punished for insecure code?
- How do you prevent service disruption in an Internet of Things when there are billions of devices publicly accessible from anywhere?
Note the alluring application of alliteration.
You don’t. The only approach is to abandon the pure play of prevention, and move to a more mature model of resilience. Resilience is powerful precisely because it gets us to the true definition of security—being ok no matter what.
This is what we should be seeking for our businesses, and for society. So instead of saying:
Don’t worry everyone! I’m a security wizard! I know the techniques that are being used to attack our business, and I will use that knowledge to keep it from happening in the future! (alchemy and deceit)
…we instead say:
The internet is crazy, and we cannot possibly prevent everything. But what we have done is account for as many negative scenarios as possible, and we’re currently at a state where most scenarios that would destroy other businesses will not affect us. We have failovers, backups, restore procedures, alternate services, etc., and you can safely carry on. Do. Not. Worry. (transparency and truth)
That is the future of InfoSec, and the future of security in general.
Don’t tell me you’ve modeled and figured out how to stop every bad thing that can happen. Tell me instead that you’ve got us to a point that most things could fail and we’d still be ok.
Let’s start using this new definition as soon as possible, and encouraging others to use it as well.
- Wikipedia’s etymology of Security. Link
- Thanks to Peter Albert for showing me the Latin etymology that got me thinking about this.