IDG Contributor Network: Rethinking security
Two very different publications on “cyber resilience” got me thinking about the definition of “information security”, which I thought I understood. The first is Digital Resilience, a 2018 book by Ray Rothrock. The second publication is NIST SP 800-160, draft v2 (March 2018). In Mr. Rothrock’s book, “resilience” is defined as a business risk to be dealt with using a holistic systems approach to threats and mitigation. In SP 800-160 v2, resilience is characterized as surviving after an APT has a foothold in your network or systems. We still don’t have immutable definitions of the basic terms in this field! Security practitioners are like the five blind men describing an elephant. No wonder there is a communication gap with business leaders. So, in this post, I decided to offer my own description of “security”, with some best practice implementation ideas. It is a rethinking rather than reinventing.