When I moved from Network Security where the "what" of security is obvious and the "how" is not so obvious to Security Management where the "what" is not so obvious and the "how" is done by others I decided I needed to get a bigger picture view on Information Security.
This blog has been an invaluable asset as I wander along the path of elucidation. Also, as I read and search for wisdom I come across some gems. I have made myself a Wall of Wisdom with some choice quotes that I refer back to when I'm not sure what I should be doing.
I'm going to share one of them with you today. And others in the future.
My first challenge is that Information Security is seen as a technical task - get a firewall, get some antivirus, if you still have money - deploy PKI.
Information Security is a business task. And in all things to do with business success or failure needs to be measured. How secure are you, right now? If you can't answer that, you are not doing Information Security right.
My quote is from Lord Kelvin who was a mathematical physicist, engineer and outstanding leader in the physical sciences. In a lecture to the Institution of Civil Engineers on 3 May 1883 he said:
"I often say that when you measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of Science, whatever the matter may be."