[Dailydave] Security Paleontology - The Jurassic Park rule

[Dennis Groves]

On Thu, 17 Jul 2014 10:11:02 -0400
William Arbaugh <warbaugh at gmail.com> wrote:

> 
> On Jul 17, 2014, at 9:51 AM, Dave Aitel <dave at immunityinc.com> wrote:
> 
> > I got a bunch of replies that said this:
> > """
> > Dave, enjoyed reading your rant, but I don't understand your
> > punchline on securing data --"but in fact, just to make it less
> > valuable" - how do you do make data less valuable? """
> > 
> Ultimately, we're suffering from the sins of the early days of
> information assurance. The focus then, as now, was on protecting the
> computers and networks. Instead, the focus should have been on
> protecting the data.

Data is IT Security, and you are correct it has to be protected and
to date it seems this has not been done well, if at all.

However, Information Security is about protecting the VALUE created by
the data for both the business and its customers. Businesses are
trading on the /value creation/ not the data. That value is usually
unique to the business, and the business is able to do something
faster, cheaper, at scale, bespoke or whatever for the customer.

Additionally, that value which is created is also valuable to those
whom may also be able to benefit either from the disruption or
destruction (sabotage) of that businesses value creation or from being
able to profit from that value that the business created (arbitrage).

Information security is much harder because that value creation is very
often not found in a hard assets, but often in things like the
efficiency of a supply chain or some other epiphenomena that results
from the system.

Cheers,

Dennis

-- 
If you don't know the threat, how do you know what to protect?
If you don't know what to protect, how do you know you are protecting
it? If you are not protecting it, the adversary wins!