Information Security

• Information Security is an art, not a science, and the mastery of information security requires multi-disciplinary knowledge of a huge quantity of information, experience and skill.
• Security controls and practices include logging on, using passwords, encrypting vital information, locking doors and drawers, motivating stakeholders to support security, and installing pipes to spray water down on your fragile computers in case of fire.
• These are means of protection that have no benefits except rarely when adversities occur. Good security is when nothing bad happens, and when nothing bad happens, who needs security.
• So why do we engage in security?
  Now-a-days we do it because the law says that we must do it; especially if we deal with the personal information of others, electronic money, intellectual property, and keeping ahead of the competition.
• Information security is no job for perfectionists, because you will almost never be fully successful, and there will always be vulnerabilities that you aren't aware of or that you haven't fixed yet.
• Therefore, enemy has great advantage over us. It is because he has to find only one vulnerability and one target to attack in a known place, electronically or physically while we must defend from potentially millions of enemies' attacks against all of our assets and vulnerabilities that are no longer in one computer room but are spread all over the world by wire and now by air.
• It's like playing a game in which you don't know your opponents and where they are, what they are doing, why they are doing it, and are changing the rules as they play.
• So, you must be highly ethical, defensive, secretive, and cautious about bragging about the great security that you are employing that might tip off the enemy.
• When working in security, you are in a virtual army defending your employer and stakeholders from their enemies, and from your point of view they will probably think and act irrationally, but from their perspective they are perfectly rational with serious personal problems to solve and gains to be made by violating your security.
• Most of your work, now, should be assisting potential victims to protect themselves from information adversities and dealing with your smart but often irrational enemies even though you rarely see or even get close to them.
• Be trustworthy and develop mutual trust among your peers. Your most important objectives are not risk reduction and increased security; they are diligence to avoid negligence, exceeding compliance with all of the laws and standards and auditors, and enablement when security becomes a competitive or a budget issue.
• To achieve these objectives, you must develop a trusting exchange of the most sensitive security intelligence among your peers in your and other security people's organizations so that you know where your organization stands in protection relative to them.
• Your personal and ethical performance must be spotless, and you must protect your reputation at all costs.