Security is a Process...Not a State (Revisited)

It is second nature to security professionals that security is a process and not a state. However, many of us overlook the implications of this fact in regard to data security. Let's consider the implications now.The breach of sensitive information is different than a breach of security in regard to physical items. For example, when a laptop is stolen it is no longer available for use. In contrast, when data is stolen it is often the case that an instance (a copy) of that data is in the possession of an unauthorized person. However, the original data is probably still available to the owner. There are many implications resulting from this difference. Security professionals discuss this in terms of operational risk versus organizational risk. The actual loss of data derives not from the theft itself, but from the litigation and bad press the results. The risk applies to brand and shareholder value. It is for this reason that the process of security trumps the actual state of security at any one time. A formal program of security, even if it is a low-budget, understated program, is imperative for most companies today. If the loss results from bad press and litigation then the defense is the ability to demonstrate a reasonable standard of care was being provided. This is best demonstrated by producing a written plan, evidence of effective management with third party oversight and evidence of the progress being made on the plan. Formalizing the security process does not need to be burdensome or costly, and as a risk mitigation measure, it is almost instantaneous in its effect and unassailable in its cost effectiveness.