The Cyber Security Journal

The nature of Information Technology has changed drastically over the past decade. The way we manage IT security, hasn’t.

IT Security tends to be viewed and managed in a variety of ‘immediate contexts,” sometimes those contexts are connected but most often they’re not. These contexts include the following:

•    The Network Transport context
•    The Network Enclave context
•    The End-user / Desktop / Edge context
•    The System or Application Context
•    The Database Context
•    The Social Engineering Context
•    The Web Surfing Context
•    The Email Management Context
•    The Data Center Context
•    The Application Development Context
•    The Biometric Context
•    The Physical Security
•    The Cryptographic Context

And there are many more. These contexts change depending on the nature of the organization or community in question and in many cases they can be combined or rearranged. So what do all of these elements (and the others not shown) have in common with one another? The most important realization is this – failure in any one area potentially opens the enterprise up to catastrophic risk. So, any organization could be nearly perfect in every aspect of their security management, but one mistake in one area invalidates the other 99% of their efforts.

What’s more troubling, is that some contexts can be managed exceptionally well yet still fail because the relationship between that context and the rest of the enterprise isn’t properly understood or monitored. The level of diligence required to support rises exponentially when dealing with federated or distributed domains.

Beginning about a year ago, the Federal Government realized that the nature of IT security was changing and that the current acquisition and program management framework for handling information security wasn’t properly aligned to the evolving threat. The introduction of the Comprehensive National Cyberspace Initiative (CNCI) was the result of this strategic realization; the realization that security could no longer be managed in stovepipes either from an organizational standpoint or an architectural or infrastructure standpoint. 

Within the Defense Department the realization has been underway even longer with efforts by the Navy and USAF to develop “Cyber” Commands going back nearly four years now. The Army is following suit and the Obama Administration’s decision this Spring to launch a DoD-wide Cybercom is close to reaching Initial Operating Capability (IOC). Yet, all of these efforts despite recognizing a new set of expectations and requirements have continued to pursue old policies and practices for IT security management. This adherence to the old paradigm is reflected in the nature of the programs or projects being managed as well as the job descriptions for the practitioners who must fulfill those roles. There are few if any positions dedicated to ensuring interoperability and coordination between enterprise enclaves or even between components of existing operational architecture. The majority of the focus in today’s programs or contracts is still on either “Information Assurance” in a vague sense or NETOPs perimeter security. 

So what exactly is Information Assurance? According to Wikipedia it is defined as:
“Information assurance (IA) is the practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation.”

This definition is a relatively non-technical and ambiguous bucket of potential capabilities, functions and architectural elements. It basically allows for a completely subjective interpretation which is likely to be different everywhere one goes (despite various attempts at standardization). The goal for Cyber Security on the other hand, is to provide process or lifecycle framework that can be specifically defined both across industry and within each organization adopting it with a consistent set of technical expectations.

The first big difference between Information Assurance and Cyber Security is this – IT security is now about much more than information, or the systems or infrastructure that manages them. Cyber Security recognizes that what we’re really protecting is the mission and functionality that the information, data or systems enable. The goal is not just to keep defenders out or keep systems operating, but to keep the solution running well enough to ensure that the mission or services are not disrupted beyond a defined critical levels. This may sound like splitting hairs (availability and integrity are similar) but it’s not – many, many IT providers still view themselves as separated from the organizations they serve (sometimes even within the same organization). The change in perspective requires a new level of coordination with the mission or business elements of an organization in order to achieve true risk aversion and “Cyber Assurance.” Cyber Assurance as a component of Cyber Security represents the following core considerations:

•    Mission Integrity [an
•    Service Quality
•    Threat Management