There are two base assumptions about what is not right about information security:
- Most organizations are not doing enough to truly secure themselves.
- Not only are organizations not doing enough, they are convincing themselves and the people around them to the contrary.
This chapter illustrates what we believe to be the underlying or root causes behind these issues in an organizational setting. We are beginning with these concepts because they will serve as foundation principles that will be carried on throughout the remainder of the book. The first of these issues focuses on how the varying interpretations of what people believe "security" to represent impact their ability to successfully implement it. We conclude by showing the relationship between the use of inconsistent definitions of "security" within organizations and how they are used to measure success or failure-many times producing Misleading results. Of course, inconsistent definitions of the term "security" are not the only factors that are creating faulty measurement within organizations. The next section of this chapter introduces a myriad of items that are contributing to an organization's ability to accurately measure its success with security.
The approach is to use tangible, relatable examples in order to prepare you for the primary concepts that are defined later within this chapter. In many of the examples, you will see the sentence or paragraph followed by a set of parentheses that enclose the name of the concepts that the example illustrates. Though this may seem a little northodox, we feel that a demonstration of the symptoms will aid you later in diagnosing your own situation. After all, as any doctor would say, you cannot make a diagnosis if you cannot recognize the symptoms. The following section provides our diagnosis and the core root causes of the problem: what we refer to as "the security constraints."
Continue reading ...
