Information security has become more of a buzz-phrase lately. It seems I keep running into technicians who are eager to make the leap into what appears to be a more lucrative field, but who lack a firm grasp of what info sec is really about. At first glance, info sec seems to be simply the manipulation of gadgets–firewalls, forensics software, encryption software, VPNs, antivirus–but the reason, the business reason, for doing these things evades people.

The whole point is risk mitigation. Not the removable of risk, because that is impossible, just the decrease of risk. An analogy is car safety. You use seat belts and air bags to lower the risk of death and injury from car wrecks. You use lights, horns, and bumpers for the same reason.

It would, of course, be nice to remove the risk of car accidents altogether. How to do that? Well, we could require everyone to use robot-driven cars. Perhaps having all cars the same size and weight would help, too. Automating maintenance of the cars would vehicles in poor repair off the roads. Banning cars altogether–requiring everyone to use mass transit driven by specially trained technicians–would also remove risk of car wrecks. Are any of these feasible? Probably not with today’s technology or in our society; taking these actions could kill business and make our lives very different. But, if you think about it, these are the tactics we use to secure corporate networks–standardizing PCs, managing updates, restricting the abilities of less technical users, etc.

7 Responses to “Risk mitigation in corporate info sec”

  1. Gary Hinson says:


    Have you heard the analogy: infosec is like brakes on a car. They let you drive faster with confidence that you’ll be able to stop when you need to. It’s a nice positive spin.


  2. rivercrow says:

    That is a positive spin. I use car analogies frequently.

    What’s frustrating to me are the techs who get into absolutes and want 100% (or want to promise 100%) security to the detriment of business operations! I guess what’s missing is the awareness that many things are possible but may not be appropriate or prudent.

  3. Xander says:

    It seems that with all this security it is an industry which is doomed to a constant tug of war. Each new standard or level reached in security seems to only set the bar for the hackers, driving them to new heights which then drives the security geeks to new heights and so the cycle continues.

    One has to wonder what the hackers get out of it all. They can’t be that successful in terms of pay dirt and yet there seems to be plenty of them.

  4. rivercrow says:

    Actually, there was a very unscientific poll at a recent black hat convention that asked this question. Simple satisfaction, getting one over on “the man”, and other such are rewards–but increasingly hackers do get money, if not from the victim then from someone who “puts a hit” on the victim. There are hacker-for-hire sites, for instance.

    You do have to differentiate b/w internal and external hackers as well.

    Even so, what bothers me more is people getting fixated on WHAT to do, not WHY.

  5. Eric says:

    We really should do away with Networks, teh internets and Email and just use FedEx, DHL, and UPS to courier every bit of information. Mind you, these services never work well for me. But I’d just like to have the same mentality when someone wants something I can just day, “The courier can’t find the cubicle twelve feet away from me, you are screwed.” And feel like my work is done. People would then start missing ye olde days of “Going Postal.”

  6. rivercrow says:


    You know, I worked for the USPS at a time….. 😉

  7. Eric says:

    I have alerted security. Fortunately they are employed by you-know-who, so they probably won’t find you either.

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>