Whenever there is a discussion around Information Security, the acronym CIA often pops up. For the uninitiated, this refers to Confidentiality, Integrity and Availability – the holy triad as some might say. Pondering ways of trying to promote information security (as opposed to IT security) to organisations, it struck me that we are perhaps talking a different language – or coming at it from the wrong direction
Noble a cause as Information Security is, the reality is that a business wants the Information to be available first and foremost, then that it is correct, and finally that it stays within the business. Some might argue this to be incorrect, but based on 8 years of selling this stuff I can tell you that InfoSec considerations are pushed right to the back of the priority list when times are hard or there is a pressing requirement to fix the core business systems.
So what’s my point? Simple really. If we want to increase our chances of success when introducing initiatives to a business, we need to position from an AIC perspective – not a CIA. Whether it’s whizzy new gigabit UTMs, clever data control solutions, or meeting compliance, I believe we’ll all have more success if we approach it more from an availability perspective as opposed to leading from a confidentiality one.