Security isn’t really a thing—it’s more a feeling you get when you believe things are the way you expect them to be. You expect things you care about to be “ok”, but most of the time, we really don’t think about what that means either. Maybe it means that something is “safe”, e.g. free from harm. Maybe it means that something is where you put it, or where you expect it to be when you want it. Maybe it means that something is not only where you put it, but ready for you to use when you need it. Maybe it means that you are prepared and have a plan for when certain events happen.
Let’s say you’re home in the evening having dinner with your family and your lights go out. After a moment of surprise, you say, “Don’t worry. We have a flashlight. Let me get it.”
At this point, you expect a few things to be true:
- You really do have a flashlight
- You remember where you put it or where it’s supposed to be
- That it really is where you put it/where it is supposed to be
- That once you find it, it will work and the batteries aren’t dead
When the lights first go out, you’re confident that you can solve the immediate problem of it being dark so that you can work on solving the next problem of figuring out why your lights went out. However, if you can’t find the flashlight, you may start to get angry or annoyed, and your confidence that the situation is under control starts to waver.
Of course, if the flashlight can’t be found or doesn’t have batteries, you likely have a back-up plan: you may have candles, but those require matches or a lighter, which you also likely have somewhere easily accessible in the house, or you might just rely on your mobile phone.
Because you either experienced this situation before or you anticipated it could happen, you made sure that you have a way to handle it without too much extra trouble. You bought a flashlight, or you have candles and matches in the house.
In this case, you have a plan, and you have what you need to respond to the situation. You have what you need to implement the plan. Because you have a plan and you know you have the tools you need, you have confidence you can deal with the situation. Because you have this confidence, you feel safe. You feel that everything and your family will be ok and the situation isn’t really a big deal. In this situation you might say you feel secure.
In the language of security, the flashlight, the batteries, the candles, the matches and having the plan of what to do with them in the situation when the lights go out are all controls. A control is something you put in place to ensure you are confident that a given situation can be managed.
The situation you want to manage is called a security event, threat, risk or uncertainty.
The problem with understanding what security is sometimes is that we get lost in the details, because when you are trying to make sure that everything you need to handle a given situation is in place, you need to make sure that each of the things you need in that situation are also the way they should be.
To do this, you may feel like you’re going in smaller and smaller circles all the time without a good place to stop. In many ways, you are, or at least you need to make circles small enough that satisfy you that things are under control.
Back to the situation of ending up sitting in the dark, how often do you make sure you have a flashlight, it is where it needs to be and the batteries work? What about having candles and matches in the house?
The answer probably depends on how big of a deal sitting in the dark is to you or your family. Maybe your family is just you, or you and your dog. Maybe you don’t care that much, and you decide that it’s a good excuse to go to bed early. Maybe you know your way through the house in the dark without bumping into things.
However, maybe this is a situation that happens a lot, and maybe it lasts for a long time. Maybe it means that because you have an electric stove, if it happens around dinner time, you might not be able to cook (been there). Maybe the power can be off for several hours, and it means that the food in your refrigerator may spoil or the stuff in your freezer could thaw out (been there too—while out of town, no less).
Each of these pieces of information changes how important it is to be sure that your plan and everything it requires are in place and ready to go. In the security world, the terms likelihood and frequency are used to identify how often a particular situation occurs, and the terms impact or consequences are used to describe the effect of that situation on you or what you want to achieve.
The more likely something is to happen and/or the bigger the impact to you, the more you want to have confidence that everything you need to deal with the situation is in place. Giving you this confidence comes from the security process of assurance.
Assurance is performing whatever tasks are required to make you confident you can handle the situation. Different situations, different likelihoods and different consequences will require different types of checks, verifications or other assurance activities for you to have enough confidence all will stay under control.
Also, once you think more about the given situation and how often or what its impact on you will be, you may decide that you need to change the plan or the tools you use to manage the situation. Instead of simply having a flashlight or candles when the lights go off, you may decide that because it happens every week and lasts for up to 4 hours, you might want to buy a generator so that your every day life isn’t disrupted that much every time the power goes out. Or, maybe you decide that having a gas stove is a better choice than having an electric one—but don’t forget you still need matches or a battery backup for the lighter!
In our everyday lives, we do many of the items above on autopilot based on our own personal experience, priorities and the amount of money we’re willing to invest to address the problem. In business, there are a lot more people involved, and each one of those people may have different ideas of the impact of any situation on themselves or the business as a whole. That’s why we need to have formal processes for security, so we can identify exactly what situations are the most important to which people and then decide what we are prepared to invest in terms of time, people and technology to make sure that those situations can either be prevented or managed when they happen.
Once we recognize the need for formal processes, then we need to make sure they’re defined, documented, followed and monitored. During the process, we also need to formally define what we otherwise take for granted so that everyone has the same understanding of what needs to be done, what needs to be protected and to what degree.
The larger the organization and the greater the impact, the more that needs to be done for more people to give them confidence that whatever they want to achieve can actually be done. The more confidence required means more checks, more formality and more reports so that the level of the feeling is stronger and the easier it is to do what needs to be done without constantly worrying that something is going to go wrong or that something you care about is going to disappear or be damaged.
Delivering safety and confidence to the level required so people don’t need to worry is what “security” really means.
How confident do you feel today?
