This text was written by Deneș Ioana-Gabriela, an exchange student from Romania. She visited my class Information Security Management during the last semester. As a final assignment all students in this class had to write small essays about what they learned during the semester. I liked this text so much that I want it to share it (with her permission, of course). - Kristin Weber
In a world in which privacy becomes a taboo subject; where personal data is getting more and more valuable; where the change is fast and the slow reaction to it might cost jobs, social positions, values and opportunities, or even considerable amounts of money; in a world in which the human is the factor that even trying to fix errors is the source of most of the errors, Information Security Management plays an imperative role of defense, the role of an awareness guardian.
It is my firm belief that Information Security is one of the most important subjects people must be more and more aware of nowadays, the subject that the world must treat with a lot of care, the foundation of a future expansion of a digitized world that is growing faster and faster.
First of all, Information Security is the answer to all sorts of threats on information. The Management of Information Security is the sum of processes that ensure the protection of confidentiality, availability, and integrity of assets from vulnerabilities.
As Stephane Nappo once claimed, “One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.” Applying his saying in the area of daily protection of data, I got to some points of view:
On one hand, being aware of possible errors that might occur in the protection of all kind of information is of paramount importance. Some of the common mistakes made, under the assumption that risk doesn’t exist, are: people might get tempted to think that some information is less important than other, a password’s complexity might get underrated, providing unauthorized access in a building in which badges are designed to make the selection of the individuals that can or cannot enter - happens, introducing a randomly found USB stick in one’s laptop is led by temptation, and so on.
On the other hand, trying to treat all potential risks is, under every circumstance, wrong because this achievement can never be touched. Harm can be done in infinite ways and what I think is, the best way to fight it is by being aware, by premeditating, preparing.
I also share the belief of Stephane Nappo that Anticipation, Education, Detection, Reaction and Resilience are the most efficient defenders. Information Security Management raises awareness over all of them. Anticipating is planning and planning gets you closer to your security goals. Education is training and training gets you better in defending against security threats. Detection is the crucial step that puts you in place before something bad happens. Reaction is the process of responding to warnings. Resilience is recovering and a fast recovery is a tough yet powerful process.
Secondly, another mistake the security of information faces, is the wrong impression of many individuals that IT Security is Information Security, when Information Security is, in fact, much more than this. As a student, I did the same mistake, thinking that Information Security was about coding against hackers, coding for the love of security, I have done the mistake to think of Information Security as Cyber Security. The lectures have helped me realize how wrong I was, they have widened my way of thinking and raised awareness in so many respects. I got to understand that harm can be done in a lot of ways, that being prepared to fight against risk is extremely important, that the information and its protection must be priorities. I have learned that being hacked is not the only way you can lose valuable data, that humans can become the error themselves, that Social Engineering is also a pro and a contra, that unsupervised badges, liquids near laptops and other gadgets, open windows and many other factors that seem insignificant can, actually, become the source of all sorts of leaks.
All things considered, getting to study this subject I understood that the security of information is really important and that it must be assured under all circumstances, that underrating any measure or any risk is definitely wrong and that rising awareness between individuals (between friends and family, at the workspace, in an organization, and so on) must be done. I have met different perspectives on the subject and as well, found out how many positions a company has to offer to ensure the security of all of its information. I am extremely grateful I got to understand all that and also, thankful for the overview I reached on this amazingly important topic, from the lectures.