Don Hoffman hits the nail on the head.
"Can someone help me understand why Information Security [IS] is in some verticals called IT Security? Where in the hell did the T come from? I am trying to figure this out. Seriously, when did we start putting a T in Information Security?"
Donald's Information Security, Aug 2009
The reality is that most Information Security leaders have and were promoted up through the ranks on their technical savvy. Human nature being what it is, we tend to gravitate back to what we are comfortable with especially during times of change and stress. And by the way, when isn't the Information Security domain experiencing change and stress ? NEVER. Actually that is what keeps many of us the game because it makes our business exciting!
Mark Brooks
I prefer the military nomenclature of Information Assurance. I have carried it over to the commercial world and make sure all my security types carry that title now. I like the definition and what it means:
Assurance - a positive declaration intended to give confidence; a promise
My teams positively declare with confidence that the information of our systems is assured. It carries some weight and responsibility on their parts.
Posted by: Nicholas Schmidt | August 29, 2009 at 06:51 PM
Hi Nicholas,
Thanks for the comments.
I too like Information Assurance. Coincidently, I served in the 101st Airborne Division right out of school. At the time, I don't believe the US Army had adopted the use of "Information Assurance", though I could be wrong. However, they certainly have since then.
I took a similar approach in rebranding in my last role at Lilly by branding our group "Information Risk". The idea being to recognize information security trends, such as:
- Collaborative Environments such as Cloud Computing, that are forcing companies to make trade offs in controls they simply haven't had to make in the past.
- Proliferation in Laws and Regulations that are driving large companies to establish cross-functional governance to rationalize and prioritize control investments.
- And tied directly to the second point, the emergence of "Enterprise Risk Management" capabilities that are increasingly being tied to both Corporate Compliance functions as well as Corporate Security functions.
In fact, my division's title was "Enterprise Information Risk and Compliance". Of course given that no two organizations are exactly alike, I'm sure that there is no exact right way of branding. For example, our group was responsible for IT QMS strategy, IT Policies and Procedures, and Information Standards that included Information Security. However, we weren't responsible for operational security.
In the end, I think we both had the same intent on taking the "T" out of Information Security. Thanks for the comments!
Mark Brooks
Posted by: Mark Brooks | August 30, 2009 at 09:54 AM