Since the mission of this blog is to go beyond F.U.D. and analyze information security in the context of meeting business objectives cloud computing and the current economic realities in Canada seems like a perfect place to start. Before this series will make any sense a short segue back to 2011-2013 and the a few key additional dimensions added to my personal approach to information security triggered by passing the ISACA CRISC examination, the release of the pen-testing execution standard and working for a firm that integrated SABSA into the professional services engagements.
Although the inner geek for most infosec people loves to debate exploits operating systems and apps the reality is information security has one simple ask that is deceptively complex:
Reduce data confidentiality, integrity and availability risk to a level tolerable to the business unit.
The complexity arises from two elements, the first being the iron triangle/project management overlay that almost every organization needs to deal with, the second being the lack of a consistent understanding of risk within the infosec community. Fast forward to 2015 and there is some very good guidance on how to measure risk, OWASP has a well defined approach based on F.A.I.R geared specifically for web application assessment and the Open Group published the first risk assessment model aligned with security architecture as a whole. For those charged with securing critical infrastructure ISA recently released training and certification specific to risk assessment within the automation environment.
And we’re back …
Risk based security may be a bit controversial at first, it involves making the tough call that some resources may not be protected to the degree people would like but the cost benefit trade off aligns with the organization’s current priorities.
Here is the first of a series of cloud security articles planned for Q1 2016: