I enjoy conducting security awareness training as it allows me to emphasize the importance of security to the organization. In particular, I always get a good laugh when discussing phishing scams. I assure the audience that their company has spared no expense in its investigations and I can therefore clarify for them that there is no former Nigerian Finance Minister looking to give them 100 million Euros.
I get serious, of course, when we discuss patient information. I talk about the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations use concepts that will be familiar to anyone who works in data security. HIPAA is explicit about protecting the confidentiality, integrity and availability of EPHI (electronic protected health information). That's what we protect. I go into detail about the three types of safeguards HIPAA requires: technical, physical and administrative. That's how we protect EPHI. But when it comes to why we protect the data, HIPAA is not on the top of my list. In fact, I go back to principles that are over 2,000 years older.
The Hippocratic Oath, a 2,500-year-old Greek text still pledged by many physicians and health care professionals as they enter service, is as specific on the privacy of patient information as HIPAA: “Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.” And in financial services, the principles of secrecy in financial transactions go back at least 500 years. Why do we keep our customers' data secure? Because they expect us to.
So while security isn't generally customer facing, it can be seen as a customer service. When you approach it like this, then protecting data takes on some new dimensions. For example, you become not just an advocate for your organization's security policies, but for their notice of privacy practices as well. You also learn to consider customer impact when you do a risk assessment and evaluate impact overall.
Even in industries that do not directly serve consumers, there are secrets to be kept. Guidelines about guarding trade secrets go back at least 1,000 years. What these different confidentiality traditions have in common is not just that they are many centuries old, and not just that they deal with keeping the “secrets” of the customer and/or the organization. What also ties them together is that none of them have a background in military activity or warfare. They do not focus on security as a battle.
However, a security professional does have to think in militaristic terms on a very regular basis. Like any security professional, I spend a good deal of time analyzing attacks. I identify enemies, vulnerabilities and attack vectors and I consider controls as defenses. And even though it is getting harder to figure out where my “perimeter” is, I try to secure it as best I can. The threats are real and we do have a battle on our hands.
But having said that, while I spend a lot of time focused on what I am fighting against, I think it is important not to forget who I am fighting for.