The Good Old Days Of InfoSec
One of the weekly functions of my high school interns are to research and send me articles they find on cyber security, law, privacy, etc. They don’t necessarily know the difference between an article and a vendor piece, which is what the attached is, but the point is to get me to thinking about a particular topic and share my thoughts. The attached article is about surveillance cameras and securing that infrastructure because unlike in the past when cameras were physically separated from the network and ran through coax, many video surveillance cameras today are transmitted over IP, meaning there is potential exposure to the internet, especially if the network is flat, i.e. no network segmentation. All that to say when I read this it got me to thinking about when I first started putting the three pillars of my career together, IT, Law and Investigations.
When I was studying for the CISSP exam there were 10 Common Body of Knowledge (CBK) areas that were covered by the exam.
Access Control Systems and Methodology
Telecommunications and Network Security
Security Managmanet Practices
Applications and Systems Development Security
Security Architecture and Models
Business Continuity and Disaster Recovery Planning
Law, Investigations, and Ethics
These CBK’s were designed to test (and thereby guide) a person’s knowledge toward thinking holistically about information security. The CISSP was not a difficult exam for me because those CBK’s lined up very well with how we viewed information systems security in the federal government, it was part of my day to day responsibilities. It was only when I started working in corporate that I became aware of silos. These silos have been a sticking point for me in my corporate career because that was not the way I was taught to think about information security. So, when there was a problem to be solved, I thought about it in a holistic fashion, and upon sharing my thoughts, found myself frustrated with the… politics of it all.
As we fast forward, we now see that the silos are continuing, we have cyber security, privacy, data governance, compliance, etc. all with a different set of tools, looking at the same information putting their two cents in on how to protect it. The industry would have been better off continuing the initial CBK model and creating holistic professionals that would be able to see how all these pieces fit together.