How is security different in government, business, and education?

If you look at the foundations of information security, they’re all there. For example, we look at the CIA triad, the three things that information security professionals always think about. Confidentiality. Making sure that nobody has access to sensitive information that shouldn’t. Integrity. Making sure that nobody can make an unauthorized modification to information. And availability. Making sure that authorized users have access to the information that they need when they need it.

Those three things are the cornerstone across all industries of information security. The other thing that’s true across all industries, is that security is about risk. It’s about risk management. Going out and looking at different situations, trying to figure out what risks are involved, and then taking actions to mitigate that risk to the extent that’s appropriate given the business context. Now, there are also differences in information security across different industries. When you’re in the government, you’re in a situation where maybe you’re involved as a regulator, or you’re trying to sort through a lot of different regulations that actually apply to you as a government agency.

And the government tends to move pretty slowly. So, being in security in that type of environment can sometimes be a little frustrating, but you know that the work that you’re doing is contributing to society as a whole. In business, you wind up with a much faster pace, and you have different goals though. The organization has clear business objectives, and the role of security in those situations is to make sure that the organization can achieve its business objectives without jeopardizing it’s security objectives at the same time.

And then, education works actually in ways that are pretty similar to the way business works, but you have an added twist. You have a mission of educating students. So, you often find students involved in your security operations. You might have student employees working side by side with your regular staff, and part of our mission is to make sure that we educate our students about the field, and give them opportunities for professional growth and development, as well.

How can organizations prevent incidents?

I’ll let you in on a secret. There’s one security control that organizations can use that really will help with security incidents, but it’s so often overlooked. And it’s minimizing the amount of information that you have. When you look at the history of security breaches, probably the most damaging breaches that have occurred, and the ones that make news headlines are the ones that involve really sensitive personal information. Things like social security numbers and credit card numbers. When you start digging into what happened during those breaches, so many times the organization just had maintained massive amounts of information that they either never needed in the first place, or the need that they had for it had passed and it was just kept either by accident or just because somebody never bothered to go and clean it up.

So one of the most important things an organization can do is go through and search all their systems and databases and other information repositories and seek out the really sensitive information. There are tools that can go and search for social security numbers and search for credit card numbers based on pattern matching and other algorithms that can really reduce the number of false positives and zero in on those sensitive pieces of information. If you go out and remove as much of that as you possibly can you’re really going to limit the amount of damage that occurs during a breach.

If you can get rid of it, a breach, if a hacker manages to break into your network and there’s some sort of security incident, it might not be something that you even need to report, because there wasn’t any sensitive information stolen. If there is, that sensitive information stolen, by deleting most of it, you’ve managed to really narrow down the number of people that it affects.