Water
Everyone knows that water “typically” doesn’t flow uphill. The same gravitational forces that dictate water flow also drive waves, currents, tides and even waterfalls, making water a very powerful, albeit sometimes punishing and destructive element of nature. It has the ability to wear away at land masses, erode even the most solid of objects and can evolve into a very real and imminent danger, such as when tidal waves, typhoons and hurricanes batter the shore.Yet water’s effects can also be healing, relaxing and calming. Hydrotherapy is commonly used to treat injury, or other system imbalances in the body. The sight and sound of waves crashing on a beach, rain falling in a forest, or water flowing over the rocks in a creek bed can help to bring focus to the mind and carry one’s thoughts away from stressful situations. I’m always amazed at how such random sights and sounds can distract from everything else around me.
Water is a building block of life. Science has shown that all cellular organisms contain water, and physical life cannot exist in its absence (at least in the sense that humans understand). Water supplies nutrients, it hydrates and it nourishes.
Water permeates and penetrates, saturates and combines with other elements and materials to produce a variety of substances. Additionally, water can be found in various states of matter. It can be a solid, a liquid or a gas and, in each state, it has its benefits.
In the natural realm, one might say water is “ubiquitous”.
Security
Like water, a strong security mindset is a powerful force. Driven by proper motivations, it brings about positive change. Security permeates an environment, mixing with other ideologies to help lay the foundation that everything else rests upon. It builds and creates strategic boundaries, effective barriers and trusted solutions for ensuring safety of data and the individuals who both own and utilize that data.It can exist in various states or configurations, whether they be hardware or software, physical or logical. Providing it is correctly implemented, security is always changing to accommodate the conditions around it. An effective security posture may appear different in every environment, making each implementation unique in its own way.
A true security mindset can be somewhat calming, in that it understands and accounts for change. While change often brings new challenges, knowing that proper policies and procedures, analysis and monitoring, corrective action and continuing security-related training are in place helps to ease the mind of company leadership. Knowing this, strong company leaders will strive to drive home their security mindset to the rest of their organization.
Leaders with a lack of understanding in areas of security, however, often succumb to fear when they realize that their organization exists in a state of complacency. Their comfort levels become extremely low (as well they should), and they tend to try to drive initiatives in which they have no background or formal experience. While their efforts intend to provide the appearance of security, their environment is at constant risk of attack.
The Cycle
Going back to our discussion of water, we know that it flows downhill or falls, with gravity. Often times, water picks up nutrients and minerals along its path, allowing it to provide benefit when it reaches its final destination. The same holds true in security.But contrary to the physical realm, where “sea level” is at the bottom of the flow, organizational “C-level” begins at the top. The concept remains the same however in that, just like water, in order to benefit from a good security plan, that plan needs to begin at the top.
As it progresses, it begins to accelerate, but it also picks up further knowledge and experience as it flows downward throughout the organization. Business units, engineering and security departments, and other individuals can take what was envisioned, lend their knowledge to it, and contribute in a meaningful way, by providing feedback to the policy and decision makers. Just as water cycles occur (evaporation yields condensation, which yields flow, which eventually yields new condensation and the cycle begins anew), security ideology continues to revolve. Unlike water, however, which essentially starts anew during evaporation, security continues to build.
Taking the above into consideration, upper management needs a firm grasp of the state of their organizational security posture, including a working understanding of, at a minimum, the risk factors that exist within their environment. They need to understand that learning is a never-ending process, when it comes to information security. Additionally, they need to have a willingness to listen to, acknowledge and implement recommended policies and solutions from their management and security teams, and ensure that they appropriately convey security ideologies in their every day associations with their staff. If this flow is handled appropriately, a company will come out of the cycle with a solid security posture, which is able to evolve and adapt as the need arises.
