Security is about knowing what to do and when – and then having the discipline to do it

Introduction

Security is not as scary as it sounds. Basically, it is all about knowing a few disciplines and following a good structure.

Though the concept of security may encompass a lot of different fields of work, in this context, it should be seen simply as protecting the organisation’s most valuable assets (whether we are talking customers, products, economics, information, personnel, etc.).

Being aware that a number of disciplines will give you a head start into the world of security, governance, and risk management.

This post is the first in a small series giving you a basic introduction to what security is all about and introducing some basic disciplines: management of risks, compliance, incidents, controls, and documentation. Later, we will also cover how these are interconnected and who in the company should be in charge of the various disciplines.

However, right now you might be wondering what security is exactly, and you are not alone. The concept of security seems somehow to be both very concrete, as in having a guard on premises taking care of Health and Safety, and rather abstract, as when the local IT sheriff tells you to follow some obscure rules you never knew existed and don’t have the slightest idea about why they exist.

To most people, security is a somewhat nerdy concept and seldom of any real interest.

So, let us take a look at what it is all about, and why you should care at all.

Security is, for a start, just a result. It may be important, but it is in no way the main thing.

The main thing is, simply put, the business.

So, to get back on track:

Security is about taking care of business, nothing less and nothing more.

It is all about protecting our products and services, the information we are being trusted with, the customers we are serving, the end users, and of course, the company as a whole.

Business and security are not two separate things with two separate goals; they must be integrated with only one common goal.

This also means that in the company, we should never create security for security’s sake. If it doesn’t create value or protect us from loss, we shouldn’t do it.

While doing your job, you may realise that your actions can have negative consequences on a wider area of the business than just on your own small fragment of the company.

Consequently, knowing what is at stake and what kind of damage you need to protect against is essential.

In the following posts, we’ll take a closer look at a few disciplines within security. We will cover management of:

  • Risks:
    Risks is all about what to worry about, and how to ensure continued business while trying to gain the upper hand.
  • Compliance:
    Compliance is concerned with our obligations in terms of law, customer contracts, promises made, relevant standards, and any internal policies and guidelines.
  • Incidents:
    How can we manage incidents – and how can we use them for preventing further losses and increasing further gains?
  • Controls:
    How do we design, conduct, review, and report on controls?
  • Documentation:
    Documentation must help us keep things under control while being able to fully account.