There is one thing that we in information security can count on: change. I recall many years ago when we talked about "computer security." Then it was network security. Information security followed and now we have information assurance. I'm not sure, from a practical perspective, that any one of those is particularly different from any other. Perhaps information security is the best term so far, and I fully recognize that there are subtle differences in each of these terms making them, arguably, unique. But change, as always, is upon us.
In today's environment, buzzwords are not particularly useful, not that they ever really were. I have spoken with perhaps a dozen people lately who, for some reason, have decided that they don't like any of the terms we use to describe our discipline. "So," I ask, "what do you like?" I have yet to get a direct answer to that. Well, I have one, and, for a change (there's that word again), I think that it actually says something about where our thinking should be. It's a term we all know, of course – "risk management."
Today, the entire field of information security/assurance is, or should be, focused directly on the management of information systems risk. In fact, as a colleague pointed out to me recently, all security of any type really addresses the management of risk. He used an analogy that brought the notion home to me.
Imagine that you have a pond and you want to keep its ecosystem well balanced. To protect your pond, you instrument it. In other words, you periodically test the water for the proper micro-organisms in the proper quantities. You test the pH and you test for pollutants. That's a combination of vulnerability assessment and threat analysis. By managing the threats and vulnerabilities of your pond you are managing the risk that the pond will become polluted and not support its ecosystem. This, really, is not much different from the way we need to think about securing our enterprises.
Of course, this does not mean we can eliminate risk. Some elements of risk are with us whether we like it or not. Just as in the pond, where we cannot reasonably stop acid rain that falls into our ecosystem, there are things that occur in our enterprises that we can, at best, only manage to acceptable levels.
But securing our enterprises means, clearly and simply, that we must manage risk. All information security practitioners need to reengineer ourselves into information systems risk managers. After all, we're all in the same pond.