One of the things that's broken in our industry is the fact that we speak a different language. If you ask 10 information security people to give you their definition of information security, you'll get 12 different answers. That's a problem. We also have a problem within our industry of talking to “normal” people. There are 800,000 information security people in the United States and 327 million “normal” people. I call them "normal people" because there's more of them. I use that all the time, to remind myself when I get frustrated every time a user clicks on a link they shouldn't click on, every time they give out their password, every time they do whatever it is that they're doing that I look at them and say, "Are you kidding me? How could you possibly do that?" Then I remind myself that they're normal. I'm not. Somewhere along the line, whatever they did seemed perfectly normal to them.
And then we've got this business-to-business problem, where you do business with maybe a big company, and as part of their vendor risk management program, they're going to ask you to do some things like an SOC 2 or HITRUST or ISO certification. Those are all different translations of language between one organization and another. The problem is, we don't have a single definition. We don't have a single translation. The best thing to do would be to have one assessment, one translation that would satisfy all.
Defining Information Security & Risk
Who's got a definition of information security? Maybe it's passwords, maybe it's protecting sensitive information. If you search online for a definition, you won't find one definition. You'll find many different definitions. SANS has its own definition. Google has its own definition. Wikipedia has its own definition. So what definition should I use? And then there's risk. Risk is one of those things that, we throw that term around all the time, and everybody seems to think that they know what it means, yet we don't. The reason I am passionate about this is that this is where we have to start. If I'm an information security officer or a chief information security officer or an information security consultant, shouldn't I define what information security is?
I'll give you my definitions. Managing risk means managing the information confidentiality, integrity, and availability risks using administrative, physical, and technical controls. I'm trying to protect three types of characteristics of information. Confidentiality is nothing more than keeping data secret so that only the people that should see the data see it. Integrity is making sure the data is accurate. And availability is making sure data is available when it needs to be.
These controls play with each other. Information can be locked down so tightly no one will be able to use it, so everybody complains, "I can't get any work done. "All information security says is 'no, no, no, no, no to everything I ask to do.'" That's an overemphasis on confidentiality, which then takes away from availability. If I make information more available and convenient, usually the trade-off is confidentiality.
I have a saying, "It doesn't matter how good your firewall works if I can come and steal your server." You need to take into account physical and administrative security as well. Everybody agrees that people are your most significant risk. And so you try to fix people by locking down permissions. Administrative controls – policies, procedures, training, and awareness are where your most significant risks exist. To not consider that in your information security plan would be missing the biggest piece of your puzzle.
Look up the term "cyber" in the dictionary, and you'll find that we're going right back to the technical part of information security. Cyber is all about technical aspects, so I don't like the term cyber security; I like information security. And risk. Risk is nothing more than likelihood and impact. Speaking the same language about all of these things is important. There needs to be an agreement within the information security community that these are definitions that we're going to use and we're going to use them all the time. Because it's confusing for us and even more confusing for the "normal" people when we keep changing definitions, or don't have a definition.
When we talk about information security it doesn't translate well. What we tend to do is impress people with big words, lots of acronyms, and people are like, "Oh wow, that guy must be really, really smart, so I'm going to give him a budget." That's not the way it's supposed to work. The way it's supposed to work is I'm supposed to take the time to explain to people what information security is. We need to relate to the positions that they work in. I don't understand how accounting works, nor do I need to. But I do need to meet that accountant where they are so they can understand why information security is important to their world.
The Problem
The single-most impactful driver of information security investments in our industry is compliance. I would estimate 85% of all information security dollars are driven from compliance. Ten percent probably originates from a breach or bad thing that occurred. What usually happens is, you overspend, you overcompensate, because you're so focused on defending yourself from the lawsuits and everything else that might be coming. The other five percent is the percent of people that actually want to do this right. Now the good news is, that number has grown. I would say it was probably two percent five years ago. But what's driving information security right now is compliance, whether it be GLBA, HIPAA, FINRA or GDPR, which is the big one now.
“63% of all breaches happen through vendors or vendor relationships.”
Evan Francen | CEO & Founder | SecurityStudio
So from a business-to-business perspective, if I'm linked to, let's say Wells Fargo, and I'm going to do business with a vendor, maybe it's a printing company, and as part of the business, I'm going to share some information. What the Office of the Comptroller of the Currency, who enforces GLBA on Wells Fargo, will ask themselves is, "What are the risks in doing business with those vendors?" So you start a vendor risk management program. Sixty-three percent of all breaches happen through vendors or vendor relationships. Wells Fargo may send an assessor to run you through the wringer on all these information security controls that are really relevant to Wells Fargo, but may not be that relevant to you. That's a big challenge. That's a translation problem. Other organizations will ask for a SOC 2, ISO certification, or HITRUST certification. If you do business in banking, say Wells Fargo is one of your customers, US Bank is another, JPMorgan Chase is another, they may all be asking different things.
Solution: A Common Language
So what's the common language in all of this? If you're like most organizations, to complete those questionnaires and requests would require a full-time employee or two. So instead of spending money providing value to your company, what you're doing is you're spending all of your money answering questions from customers. That's a problem in our industry. You see the translation problems; they're fundamental and need to be fixed. That’s the reason why the S2SCORE was developed. S2Score is similar to a credit score, where everyone has a personal credit score ranging from 300 to 850.Our definition of information security is wholistic and includes administrative, physical, and technical controls.
The S2Score provides a quick translation that everyone can understand. It has the credibility to satisfy people like me, who are information security people, and are usually pretty critical on most things. And it also satisfies others within organizations by presenting the security conversation in a language they understand, and it also works for business-to-business.
