A common challenge within the information security industry, especially in non-technical areas, such as implementing an Information Security Management System (ISMS) for example, is to agree on what information security means to an organisation and what the correct approach is to achieve better information security practice.
Information security as an academic topic, is not yet seen to be as mature of a topic as what computer science is. For many of us in the industry, information security is seen as an art rather than being a science. This comes from the application of different approaches or even different solutions to address the same issue, where it’s still possible to achieve the same outcome.
Information security leaders seem to also agree on this. As all ISO 27001 subject matter experts (SME) know, the standards are very broad and inform us what we need to do, but it doesn’t tell us how to do it. For example, it does not tell us how to do a risk assessment but mandate us that it needs to be repeatable, consistent and produce comparable results. As all ISO 27001 SME’s know, the risk methodology is no longer asset-based, nor tied down to the context of the business. But the question remains; what if I want to perform an asset-based risk assessment? Would this be considered a wrong approach? What if I go to another company, and I followed a “scenario-based” approach, would this be wrong again? What if a third party is using the “process-based” approach, would this fit the purpose?
As long as a solution or an approach solves the problem and fits the purpose, then it should be considered right to that organisation.
As information security professionals, we need to understand this fact and need to communicate this to our clients too. This will give our clients the understanding of why a certain approach or solution was used and that this type of approach can be used again in the future.