Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Redefining Information Security

by Neil MacDonald  |  November 1, 2010  |  6 Comments

The traditional definition of information security has been something like the protection of the confidentiality, integrity, availability, authenticity, possession, utility and no-repudiation of our information assets.

How about a new way of thinking about information security:

Getting the right information to the right entity at the right time in the right context to take the right action.

Seems like it encompasses all of the original definition.

Better yet, it’s not so esoteric, sounds much more aligned to the business and it’s all about enablement which ultimately is what information security is supposed to do…

6 Comments »

Category: Information Security Next-generation Security Infrastructure     Tags: ,

6 responses so far ↓

  • 1 Sreehari Padmanabhan   November 2, 2010 at 1:34 am

    Neil,

    Interesting thought shared! Well, if somebody looks at this new ‘way’ of ‘definition’, I am afraid whether they will get the context of protection or risk which I feel must be referred in the definition somewhere. The term ‘right’ though appropriate independently; is slightly taking the scope of information security very broad and i guess for this precise reason, there must be a reflection of the historical & traditional definition too. ‘Right’ essentially could be achieved in a variety of ways and hence I feel the scope widening.

    Cheers,

    Sreehari

  • 2 Neil MacDonald   November 2, 2010 at 10:28 am

    Sreehari,

    Hmmm… you’ve got a point. The notion of risk-based decision making doesn’t come through. We can’t protect everything equally, so we are willing to deal with more risk for assets and information that aren’t as critical to the business. The word “right” provides some room to talk about appropriate levels of correctness, response, etc which could vary based on risk. But, I agree that isn’t immediately clear. As I think about it, this notion doesn’t come through in the traditional definition of infosec either.

    On protection – ultimately the reason we protect desktops, laptops, servers and networks is to protect the worloads and information that they encapsulate. Here, I’ll challenge you to consider that protecting networks and devices is the means to the end — where the end goal is the protection of the workloads and information they host – which is what I was trying to get at in the proposal above.

    Finally – on the scope, there is something bigger here in the synergy and shared responsibility of information security and IT operations to deliver resiliency in our workloads and information to deliver the right information to the right entity at the right time. Whether a potential interuption in service is caused by a hardware failure, software failure, poorly executed change or malicious intent doesn’t matter. Our shared responsibility is to deliver resiliency in the information and workloads we are tasked with. So, I believe its a good thing that the scope has widened. Security can’t continue to treated as a silo, separate from the rest of IT…

    food for thought

    Neil

  • 3 Adam Hils   November 2, 2010 at 1:44 pm

    Neil,

    I understand your motive for constructing the definition above. For far too long we’ve been blocking ports, finding vulnerabilities, and shielding servers without regard for the value of the information we are supposedly protecting.

    I’m with Sreehan on this one – “at the right level of protection considering the information’s business risk profile” should be appended somewhere.

  • 4 Andrea Guarino   November 5, 2010 at 11:42 pm

    Neil,

    really interesting thought… but I agree with Sreehari too: your definition just won’t cut it as is.

    It’s a good statement if it’s intended for explaining the general scope of the “Information Security” matter to some not-so-aware executives and/or business people.

    But it does not really encompass the real matter and it does not work for aware business people: you’re not speaking “their” language!

    I normally try to explain it in this other way (in italian that would “sound” better):

    “Storing and moving at the lowest TCO possible only the minimum amount of information required, while keeping risk levels under control and following local laws and compliances”

    Regards,

    Andrea

  • 5 Neil MacDonald   November 8, 2010 at 8:51 am

    Andrea,

    I like your proposal – especially the context of risk levels and comliance. Lowest possible TCO is good as well.

    The part that is bothering me is “storing and moving only the minimum anount of information required”

    I’m not sure I would agree that it is information security’s job to minimize the information stored/moved. How in the world would we possibly make this decision? I’d argue that this decision isn’t ours to make at all. And, increasingly much of the information that will be critical to our businesses will be information that orginates outside of our systems and traditional boundaries. There’s a world of information ut there from the “collective” — people we may not even have a formal relationship with — that may benefit us. Instead of minimizing information, we should be maximizing access to relevant (right) information.

    Which brings me back to this modification
    Getting the right information to the right entity at the right time in the right context to take the right action within a framework of managed risk.

    “managed risk” meaning a cost/benefit/risk analysis is being performed. That brings in your TCO argument as well as the lega/regulatory compliance that others cited.

    Neil

  • 6 Andrea Guarino   November 14, 2010 at 4:43 pm

    Neil,

    nice addition. Now your definition really works !

    About the “size of the info to be moved/stored”: you’re right, and it’s eventually more a business issue than a technical issue. Moreover, you never know if a certain field or piece of data could possibly have special uses or meanings that business people simply forgot to explain to you. Or they simply do not want you to know about it. Or it will be useful in the future.

    The only reason why I inserted that condition in my statement is that when you know the real use of a piece of “data”, that “data” become an “information” to your eyes. And – at least here in Italy – moving “information” is almost always a greater risk than moving “data”, because an “information” often have some form of specific “value” associated.

    Now this condition isn’t needed any more due your last modifications: that “value” is clearly part of the “framework of managed risk”.

    Andrea