« Security on the Cheap | Main | Be Careful Hiring a Hacker »

As news keeps breaking about the latest data breach or the newest DOS attack or spam worm crippling systems worldwide, one has to start wondering: exactly what are all these security professionals and security products doing about it?

Of course, there is the vendor side offering the tantalizing prospect of end-point security, or just one product that offers complete computer security, but while that is certainly something to strive for, it certainly isn't today's reality. And the trouble with any product telling you "This is the last security solution you will ever need," the bad guys seem to immediately interpret that as, "Excellent, now then they'll never be ready for this next set of exploits we've uncovered!"

So maybe true security simply cannot be achieved. That's what Christopher Hoff has declared at Rational Security. Maybe what we need is an entirely different title for what it is we do, and the term he settled on is Information Survivability. He defines it as:

Information Survivability is defined as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents to ensure that the right people get the right information at the right time.

A survivability approach combines risk management and contingency planning with computer security to protect highly distributed information services and assets in order to sustain mission-critical functions. Survivability expands the view of security from a narrow, technical specialty understood only by security experts to a risk management perspective with participation by the entire organization and stakeholders."

And you know what, that makes a lot of sense to me. Because in this game, as soon as you think you've won, you've lost.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2777