Hans Wierenga recently published in SOA Magazine (Issue XLII: August 2010) a brilliant article analysing the predicament of the Security disciplines. The title itself is ‘to the point’: “Why the Information Security Consultancy Industry Needs a Major Overhaul” (http://www.soamag.com/I42/0810-1.php )
Wierenga writes:
“Unfortunately, the current information security vocabulary – in particular, as embodied in standards such as the ISO 27000 family of standards, CRAMM and COBIT – is structurally and fundamentally unsuitable for the expression of the information security requirements of the 21st century. The key terms of this vocabulary are confidentiality, integrity and availability, better known under the acronym CIA . As we shall show in this article, there are many, many goals which are not adequately covered by these terms, but nevertheless must be achieved in order for an organisation to have good information security in the Internet age.”
“However, the vocabulary is not the only problem with CIA: the way that it is applied is also inadequate. CIA is applied to the individual information assets of organisations, with little regard for the collective impact these assets have on the experiences of customers, suppliers and employees. But it is this collective impact that determines the business value of information security. In other words, the security consultancy industry standards do not just employ the wrong words, but they also apply them to the wrong things. The CIA paradigm entirely ignores the fact that the whole is more than the sum of the parts, blithely assuming that if each individual information system is secure that the whole is too. This way of thinking is hardwired into the standard approach of the information security consultancy industry, which involves making an inventory of the information systems and then working out how to make each of them secure.”
In previous posts I have classified the standard Information Security approach as mechanistic (techno-centric), and explained how it is rooted on the machine metaphor and the conception of information as an object or physical substance.
Wierenga does not employ a metaphor analysis or world-view approach, but nevertheless he clearly sees that the problems with the standard thinking arise from a specific ideology:
“If all the money ever invested in implementing CIA was one giant waste, it wouldn’t matter because there is no way to tell. We may know the end result of this investment, but not what the result would have been without it. Using words which don’t adequately express the goals we wish to achieve, applying an approach which considers only the parts but not the whole, and not measuring how effective you are is a recipe for ineffective solutions. That need not be a problem if the whole point of the exercise is to enable those responsible to claim that they took the best advice and did everything they could, but not everybody can afford to take such a position. In this paper we shall discuss how the conventional wisdom of the information security consultancy industry can be improved upon in order to deliver measurable business value. We shall introduce more appropriate terms, which enable us to maximize this business value, and we shall introduce an approach which goes from the whole to the parts. The new terms – trust, respect and utility- enable us to focus on the business value of information security and leads to better information security solutions. We shall show how engendering trust, showing respect and delivering utility changes the information security landscape. We shall demonstrate how they improve on the CIA-goals and approach, and discuss whether it makes sense to incorporate the old wisdom into the new.”
Arising from this approach, Wierenga proposes new guiding principles for Information Security Consultancy – Trust, Respect and Utility–, and further expands Trust with principles to “Create Transparency, Right Wrongs, Confront Reality, Clarify Expectations, Practice Accountability, and Keep Commitments”.
Central to Wierenga’s thinking is the principle of Trust, which should be at the centre of Information Security. This is also essential to my approach to Information Security and I&AM.
I am proposing a very compact modification of the standard CIA “triad”, by including the element of Direction (See: https://carlos-trigoso.com/mind-maps/security-perspectives/ ). In this way I do not discard the traditional CIA triad, but add a fourth element. The element of Direction reflects all those factors that escape the techno-centric standard approach. In particular, it is important to note that the disciplines of Direction encompass definition of trust, assurance, intention, decision and business model. The four-sided model does not make claims of originality (it is based on work by John Arnold and other Security thinkers, especially Donn. Parker, authors cited in previous posts here.
See: http://www.computersecurityhandbook.com/CSH4/Chapter5.html
Correctly, Wierenga understands that a deep change in Information Security Consultancy actually requires a new vision:
“A new approach to information security is hardly possible without a new way of looking at information systems. In this paper we shall apply the service-oriented architecture paradigm for that purpose. The paradigm describes all interactions in terms of services, in which a requestor asks an agent for something to be done, and the agent ensures that it gets done and delivers a response to the requestor. This way of thinking can be applied at a business level, in order to describe interactions between organisations, at a functional level, to describe how the activities of which business processes are comprised interact, and at the level of information systems, in order to describe how systems and parts of systems interact. Applying it at all levels enables an organisation to make the connection between each and every part of its information processing and the business value that it delivers.”
People may think that Service Oriented Architecture is something old and not worth considering. That would be seriously misinformed. I recommend reading Wierenga’s article in its entirety. Here is another article by Hans Wierenga: