On Thu, 17 Jul 2014 10:11:02 -0400 William Arbaugh <[email protected]> wrote:
> > On Jul 17, 2014, at 9:51 AM, Dave Aitel <[email protected]> wrote: > > > I got a bunch of replies that said this: > > """ > > Dave, enjoyed reading your rant, but I don't understand your > > punchline on securing data --"but in fact, just to make it less > > valuable" - how do you do make data less valuable? """ > > > Ultimately, we're suffering from the sins of the early days of > information assurance. The focus then, as now, was on protecting the > computers and networks. Instead, the focus should have been on > protecting the data. Data is IT Security, and you are correct it has to be protected and to date it seems this has not been done well, if at all. However, Information Security is about protecting the VALUE created by the data for both the business and its customers. Businesses are trading on the /value creation/ not the data. That value is usually unique to the business, and the business is able to do something faster, cheaper, at scale, bespoke or whatever for the customer. Additionally, that value which is created is also valuable to those whom may also be able to benefit either from the disruption or destruction (sabotage) of that businesses value creation or from being able to profit from that value that the business created (arbitrage). Information security is much harder because that value creation is very often not found in a hard assets, but often in things like the efficiency of a supply chain or some other epiphenomena that results from the system. Cheers, Dennis -- If you don't know the threat, how do you know what to protect? If you don't know what to protect, how do you know you are protecting it? If you are not protecting it, the adversary wins! _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
