This text was written by Deneș Ioana-Gabriela, an exchange student from Romania. She visited my class Information Security Management during the last semester. As a final assignment all students in this class had to write small essays about what they learned during the semester. I liked this text so much that I want it to share it (with her permission, of course). - Kristin Weber
In a world in which privacy becomes
a taboo subject; where personal data is getting more and more valuable; where
the change is fast and the slow reaction to it might cost jobs, social
positions, values and opportunities, or even considerable amounts of money; in
a world in which the human is the factor that even trying to fix errors is the
source of most of the errors, Information Security Management plays an
imperative role of defense, the role of an awareness guardian.
It is my firm belief that
Information Security is one of the most important subjects people must be more and
more aware of nowadays, the subject that the world must treat with a lot of
care, the foundation of a future expansion of a digitized world that is growing
faster and faster.
First of all, Information Security
is the answer to all sorts of threats on information. The Management of
Information Security is the sum of processes that ensure the protection of
confidentiality, availability, and integrity of assets from vulnerabilities.
As Stephane Nappo once claimed, “One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.” Applying his saying in the area of daily protection of data, I got to some points of view:
On one hand, being aware of
possible errors that might occur in the protection of all kind of information
is of paramount importance. Some of the common mistakes made, under the
assumption that risk doesn’t exist, are: people might get tempted to think that
some information is less important than other, a password’s complexity might
get underrated, providing unauthorized access in a building in which badges are
designed to make the selection of the individuals that can or cannot enter -
happens, introducing a randomly found USB stick in one’s laptop is led by
temptation, and so on.
On the other hand, trying to treat
all potential risks is, under every circumstance, wrong because this
achievement can never be touched. Harm can be done in infinite ways and what I
think is, the best way to fight it is by being aware, by premeditating, preparing.
I also share the belief of Stephane
Nappo that Anticipation, Education, Detection, Reaction and Resilience are the
most efficient defenders. Information Security Management raises awareness over
all of them. Anticipating is planning and planning gets you closer to your
security goals. Education is training and training gets you better in defending
against security threats. Detection is the crucial step that puts you in place
before something bad happens. Reaction is the process of responding to warnings.
Resilience is recovering and a fast recovery is a tough yet powerful process.
Secondly, another mistake the
security of information faces, is the wrong impression of many individuals that
IT Security is Information Security, when Information Security is, in fact,
much more than this. As a student, I did the same mistake, thinking that
Information Security was about coding against hackers, coding for the love of
security, I have done the mistake to think of Information Security as Cyber
Security. The lectures have helped me realize how wrong I was, they have
widened my way of thinking and raised awareness in so many respects. I got to
understand that harm can be done in a lot of ways, that being prepared to fight
against risk is extremely important, that the information and its protection
must be priorities. I have learned that being hacked is not the only way you
can lose valuable data, that humans can become the error themselves, that
Social Engineering is also a pro and a contra, that unsupervised badges,
liquids near laptops and other gadgets, open windows and many other factors
that seem insignificant can, actually, become the source of all sorts of leaks.
All things considered, getting to
study this subject I understood that the security of information is really
important and that it must be assured under all circumstances, that underrating
any measure or any risk is definitely wrong and that rising awareness between
individuals (between friends and family, at the workspace, in an organization,
and so on) must be done. I have met different perspectives on the subject and
as well, found out how many positions a company has to offer to ensure the
security of all of its information.
I am extremely grateful I
got to understand all that and also, thankful for the overview I reached on
this amazingly important topic, from the lectures.