Hippocrates, the "Father of Medicine," may have pledged to keep his patients from harm, but he did little good even with his extravagant treatments. Oh, physicians throughout history were good at setting broken bones and amputating limbs, but preventing disease was nearly impossible during the first 6,000 years of medicine.
Only in the 19th century, through a completely new approach called public health, did disease prevention become practical. Medicine evolved from a curative approach to a preventive one by eliminating the causes of illness. Information security is making the same transition, evolving from a reactive to a preventive discipline.
Handicapped by a lack of knowledge, early physicians developed ineffective treatments, such as bloodletting. They had no idea that disease is best addressed through clean environments, good hygiene and sound nutrition. Security practitioners have never been that clueless, but many of our practices are poorly conceived. Traditional medical and security practices rely on those passed down by "authorities," without verification of their effectiveness. Every profession needs well-vetted treatments and preventive measures that have demonstrable results.
Practitioners discover and eliminate (or contain) illnesses by collecting and analyzing data. For example, in 1854, when British doctor John Snow disabled a water pump, the sudden drop in neighborhood cholera cases demonstrated the relationship between specific water sources and the disease. Trained researchers are usually needed to develop practical corrective measures, after which implementation can be performed by inexpensive laymen.
The emphasis on corporate governance applies this same approach to operational risk, a parallel that's apparent in information security: A root cause is defined; an avoidance practice is devised; an activity is changed; results are monitored; and priorities are continuously adjusted. Security managers who exercise these "best practices" have fewer security headaches, as do their "patients."
Another important lesson: Awareness programs are necessary, and, in many cases, additional incentives or penalties are needed to ensure compliance. To prevent recurrence, health practitioners found that they had to continually measure the level of compliance with best practices. In cases of a highly infectious disease, when the health of a few individuals has an impact on an entire population, governments often impose mandatory preventative practices, such as child vaccination programs. This particular lesson hasn't yet been applied to information security, but it's a growing possibility.
Corporate auditors are the equivalent of public health officials, monitoring performance indicators and ensuring that best practices are applied throughout an enterprise's IT environment. Performance indicators are crucial, which is why a great deal of research is directed toward devising and refining them. Likewise, the big challenge of information security is the development of practical indicators that can be easily monitored to interpret symptoms of infection. Progress in both disciplines lies in continually refining the metrics.
Public health implies that disease is controlled, not eliminated. The perceived threat level is a poor guide in deciding how diligently practices must be followed; threats always manifest themselves when preventive measures are allowed to lapse. The final lesson that information security practitioners can take from public health is that constant diligence and vigilance are necessary when trying to ensure enterprise security.
About the author
Jay G. Heiser, is a London-based security analyst with TruSecure Corp.
Note: This column originally appeared in the July issue of Information Security magazine. To subscribe to Information Security magazine, please click here.