Yesterday I had a conversation with a friend and the topic led to the label “data security” versus “information security” and which one I prefer. For me, it’s not really a preference as it is a scope of work or definition of what it is I’m responsibile for protecting. I couched my answer in this way.
Here are five numbers: 63, 71, 88, 92, 98. Take these digits and place them in order of best to worst. Many would assume the highest number is the best. What if I put in the context of golf scores? Oops. Does it change the order? The numbers are merely data, the context turns those numbers into information.
From a security point of view, the same philosophy applies. Is there an obligation to protect a series of 9 digits or an obligation to protect social security numbers? Does PCI apply to credit card numbers or any series of 16 digits? Unless data is placed into context how are we to know exactly what regulations apply, assign value, or interpret threat. We can’t protect PII if we don’t know what it is.
So, for me, the answer is simple. Data security is protecting a series of numbers and letters which doesn’t add much value to an organization. Information security protects data that has been put into meaningful context. I know which arena I play in. How about you?
It it a young lady or an old woman? Is it both?
The potential for information security to enable business often gets lost on our own scotomas. We get so locked into our world of information protection that we fail to see alternatives and opportunities. The inability to see more than one option is the experience scotoma we all suffer from time to time and for some, more often than not. We only see the “old lady” and therefore that is all we can act upon. In order to see options and alternatives, we have to break our scotomas and communicate in a way that breaks the experience scotomas of others.
Only by breaking down the psychological barriers that prevent us from seeing the whole picture will we be able to apply business-focused security solutions. That is where the business-value of security comes in. Don’t just see the young lady. Don’t just see the old lady. See both.
A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital. (Misdirected spyware infects Ohio hospital. McMillan, Robert. 17 September 2009. ComputerWorld.)
Graham certainly gets what is coming to him. Sending spyware to your ex is more than a little creepy. However, it seems to me the hospital is culpable in the release of protected health information (PHI) due to poor security practices. The hospital has an obligation to protect this information yet they allow an employee to not only access personal e-mail but also download and install an application. In this case it turns out to be spyware.
Unfortunately, this is a common occurance. Employees use business assets as their personal playground, downloading and installing all types of applications that have no business being on the PC. I’m not talking about pictures of Grandma Edith and the new puppy, rather peer-to-peer file sharing and communication applications, games, and other programs of amusement. This places companies at risk for the accidental release of personal information or compromise of systems.
With more regulatory pressure being placed on organizations to protect personally identifiable information, companies are going to need to make a decision if they are running a business or a playpen. It may be safer (and less expensive) to put in a foosball table and pinball machine than suffer the consequences of a breach.
Business and Security | Paul September 30, 2009 | 
Comments (0)