...to the post What is Information Security Really? by James Rees on Compare the cloud.net. A really great discussion about what InfoSec really is. I advise you to read some of the great comments and maybe tweet some a lot of other people already done.
Short breakout from the post:
"Looking at the examples above carefully you begin to see a pattern, nobody really knows what information security is, nobody really wants to do it as they think it costs too much and if they do have to do it, they will do the minimum required in order to tick whatever box they need to. This leads me to ask a question.
“What is the minimum?”"
Read the full post.
"A lot of really great comments and traffic to a great post in an important matter. First and this is important; I’m not an InfoSec expert, at the most I would call me novice. So my points are in humble respect to all InfoSec experts. And I apologize if I’ve missed comments similar to mine in the thread. But, I will give you my opinion from “my mind of view”. I make it a long one…
Normally I use to say: Don’t worry about security in the cloud. It’s probably better than the one you have today in and around your on-prem solution. And if it’s better “at home” you either:
- Have a specific business that needs to be top secure. Most probably you shouldn’t put this type of service into a public cloud. Maybe a private one.
- A specific CSP have a lousy security solution – a minimum solution!
- You have probably built a better solution than needed + your owner or the management isn’t informed or don’t understand the actual cost.
CSP’s core business is to deliver services. If a CSP fail in security it’s a bad mistake and the CSP should, in my opinion, ask themselves why they are in the business at all; in the business to make easy money or truly deliver a good service to customers? The business is self-sanitizing but it’s bad for cloud business in general if credulous customers learn the hard way. By saying credulous I don’t mean sloppy. You should read T&C and benchmark but you should be able to trust the facts and results.
On the other hand;
CSP’s struggles with costs since customers demand more than they are willing to pay for (read my post about that customization isn’t the future on outsourcemagazine.co.uk). It might also be a problem when a customer asks for i.e. a SaaS where InfoSec isn’t a selection criterion and several CSP’s compete about the contract; why should the customer choose a more expensive service even if it’s better?! To me this is the biggest problem: Customers choosing the cheapest alternative even if they (know?) needed a better solution - the unaware CFO and CEO putting their businesses at risk because they didn’t understand, nor aren’t aware enough, just thinking about money in short term. To quote a colleague of mine: “When buying quality you only cry once.”
For sure, as in all situations; attacks will happen where it hurts the most. So CSP’s will be more attacked and vulnerable than single on-prem solutions. Therefore, I still say; Security is probably better in the cloud than with a business functional on-prem solution – because the CSP will be “erased” from the market if it fails.
Security shouldn’t be a defense wall only. The only way build “Fort Knox”-security is to use tons of money. Or you can erase all threats by dropping the Internet-connection, use rigorous controls when hiring and when the employees comes to work. But business is about taking risks, not stupid ones but some. You can’t afford “Fort Knox”, you can’t “afford” dropping Internet or setting up rigorous controls and you can’t afford incidents. You have to know threats and what risks you’re taking and try to minimize them, but most important; you have to know what to do if something fails or someone hurts your business. If you put the least acceptable level of effort (=minimum) to fulfill a certification, standard etc you as a customer jeopardize your business or as a CSP jeopardizing both your own and your customer’s business. If you know you’re doing minimum…reconsider if you should be in business at all.
Sorry about the formatting....
Unfortunately the customers are driving the “minimum”. Let’s hope maximized security bangs aren’t the way to wake customers up from security minimalistic dreams.
Minimum is not ok – for me, you, he, she & it/IT, and none of us can afford a serious incident."