Last week I went to the infosecurity Europe event in London as I was attracted by the keynotes titles and the interactive theatre. Besides returning home with three different caps/hats, one even has a battery attached to it (stress balls seems to be out of fashion for the security nerds and herd, which is good for me because I love hats), I also found that security is no longer confined to ‘security policies’ or even ‘communications policies’. Information security is an industry itself even though having a secured information system/network is still a myth.
On the panel discussion: ‘Which is more important – Compliance, Security or Operability?’, the question then is Compliance or Operability?. ‘Compliance’ is compliance with an array of rules/regulations/standards and no debates there and since ‘Operability’ (the intended meaning here is that the system is functional/operable/available) is also one interesting ‘ilities’ (others are ‘traceability and trackability’) for ediscovery; I was hoping to hear more debates on ‘operability’. No debates whatsoever on operability, instead couple of enlightening questions were raised around ‘information asset’. Ah! back to security in terms of protecting assets. Questions raised are ‘How to identify information assets including assets in the ‘cloud’? ‘How to put information asset at appropriate risks to achieve maximum value?’ These questions are also relevant for ediscovery. Worth pointing out that asset identification is one key activity of risks management. How many organisations perform risks management on a regular or even a sporadic basis? How many organisations have security policies or communications policies in place? In place or not, policies are considered ‘given’ if organisation is not to be burdened with ediscovery.
Interestingly, the shift seems to be on the monitoring of systems/networks/e-mails etc (any conceivable ESI ) otherwise also referred to as ‘vulnerability management’ (replacing risk management?).
Monitoring of electronic communications was recently reported in the article, ‘E-Discovery Keeps an Eye on the Job’ by A. Michael Weber New York Law Journal April 25, 2008. Here, the assets (also potential sources of ESI) are not just e-mails but also physical assets. Now imagine working in an organisation whereby such assets are ‘classified as company secrets’?! Mmm I wonder what Bruce Schneier will write after ‘Beyond Fear’. I have not read the book, just what’s on http://www.schneier.com/book-beyondfear.html. How about ‘Beyond Reason’?
Before I get too carried away, back to the infosecurity show…
A striking reminder comes from the chair of ‘The Hacker’s Panel’ (which I also attended out of curiosity as I was attracted by the lack of disclosure on the topic which said ‘ for legal reasons the panellists will not be revealed) was the old adage, ‘you can’t control what you can’t measure’. The theatre (non interactive, capacity 100-200) was pretty full. I remembered having to queue to enter.
So the reminder further re-inforced that information security is a myth. Can’t measure, can’t control. Can’t measure because no (reliable/operable?) information is available on cybercrime. Some mumbling on human factors, change behaviour, ‘hacker’ mindset gaps all revealing that security is not just related to policies, codes, printers, e-mails or networks.
Also a good reminder for ediscovery/disclosure