What is good Information Security?
Information Security is a very broad term, it accounts for the security of any information system that an organisation uses – ranging from smoke-signals to quantum computers.
Good information security is flexible and works to classify information so that you can satisfy particular security requirements – such as data integrity over a secure line. This is best demonstrated by how governments classify information and how to treat it.
To follow on from the example of smoke-signals – an encrypted smoke signal may well be complex enough to be secure, even though an external party is attempting to ‘listen in’. The physical infrastructure is also important to make sure the smoke-signal is sent.
These are foundational aspects of information security and apply to all IT systems too.
This is naturally quite complex to implement despite being straightforward to explore in a thought-experiment. So what does ‘good’ look like? The answer is a vague: it depends.
Good-practice varies depending on the sector, its customers and relevant specialism within these. Were you a very famous British Spy the hurdles to have good information security is leagues more complex than that of a local green-grocer, even if the latter is selling fresh vegetables to the very same world-renown Spy.
Sustaining Security through Technology
Communication and the storage of what is communicated – be it a commercial contract or an email – is secured through a variety of technologies. These shouldn’t be considered ‘add-ons’ to pre-existing capabilities and instead champion being Secure By Design.
Good information security is wholly dependent on context, and has to be informed by the context of the environment it operates in. For example if you are in charge of a team of software developers, you will require secure systems that run Endpoint Detection and Response (EDR) solutions because it is likely your systems have local-administrator rights. It will be difficult to ‘harden’ such a malleable system so we start at a higher bar.
EDR is a capability, and in the above example shouldn’t be an afterthought – the brief time a developer is downloading a code library may be enough for a security incident to occur. Having EDR pre-loaded on your systems is therein core to facilitating operations.
There are a range of vendors that will all say they are the best, we ourselves have our favourites, but good-practice is to look at the information systems based on what they achieve rather than on their brand.
The expertise to implement these technologies is also necessary and is often hard to come by, there is a global shortage of security professionals. This means that you will have to speak to a variety of experts either through a screen (e.g. Recruitment agencies, or Hayachi Services) or identify and engage them directly for specific services.
Being driven by capabilities is very important for sustaining effective information security, otherwise there is a risk you will buy the right tool for the wrong job.
Day-to-day Information Security
Information Security may seem like a mountain to climb on top of a mountain of work, but instead it should be treated as something you do incrementally throughout your journey. Security By Design actually reduces your workload and expenditure because the most effective time to review and implement security processes is before deployment.
Our partner WatchTower help organisations of all sizes sustain good-practice throughout the year and implement security in an incremental and holistic way. Couple this with vendors such as Opswat who bring capabilities from a wide-range of vendors to your door-step enabling you to achieve comprehensive security in a flexible way.