There is no Royal Road to understanding and achieving information security
Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for July, 2009:
Taking a line of thought from Euclid, there is no easy route to understand the ever changing complexities of information security.
We exist in an era where information security is both exciting and complex.
The rapid evolution of information technology, increasing number of targets, and the explosive development of creative tools attackers employ all contribute to a dynamic environment where a continual struggle between aggressors and defenders shifts the balance on a daily basis. Only through hard work can security professionals effectively pursue achieving an optimal level of security which manages the tradeoffs of cost against controlling impacts and effectiveness of attacks. Achieving information security is an exercise in hard work, diligence, consistency, and flexibility to adapt technology and behaviors in meeting the challenge.