Contextual-Relevance: A New Paradigm for Information Security.

Monday, July 08, 2013

Brad Bemis


The nature of the security game hasn’t changed much over the past 10 to 20 years. Sure, the tools and technologies, and the types of offensive and defensive strategies that are employed have changed, but we’re still challenged in many of the same ways that we’ve always been. We’re still engaging in a losing battle against an invisible enemy while trying to make the best possible use of what little human and financial capital we are granted to defend our information ecosystems; all while trying to advocate for more support, more money, and more people to do the job – despite a perceived lack of ‘tangible’ evidence that the work we do has any actual value.

If you’ve been tasked to take an active role in protecting your organization’s information assets, then you may have already experienced some of this for yourself. To make matters worse, we now live in a mobile, social, cloud-based world, where information exists in a completely untethered state and our existing information ecosystems are incapable of containing it. The complex systems that we work with just continue becoming more complex; as do the social and organizational cultures that influence (and constrain) our efforts to defend them. And, truthfully, no one really has a ‘silver bullet solution’ for how we handle this growing problem.

Rather than figuring out how to shift our current security paradigm, most of us are so busy, and so limited in the availability of finite resources, that we reach for the ‘easy’ answers, the ‘low-hanging fruit’; thinking that any action is better than no action. It’s not uncommon to turn towards the next latest and greatest technical security ‘solution’ offered by a favored vendor; especially when you consider the types of ‘promises’ being made. While the technologies required to limit the likelihood, breadth, and depth of a potential security incident are indeed essential to a holistic information security program; there are limits to the protective value that these technical controls can offer.

If it’s clear to us that a technology-centric approach isn’t the answer, then what is? Regulatory compliance certainly hasn’t addressed the issue – nor have any of the ‘best practices’ that are commonly held up as the way security should be done. In some cases, the compliance/best practice mindset so commonly adopted nowadays has actually distracted us from the things that matter most. Caught up in answering the question of “are we compliant?” we forget to ask the question “are we secure?” Even more importantly, we forget to ask the question “does my security program make sense for me?”

With our rampant adoption of commoditized security technologies, increased emphasis on compliance mandates, and continued use of outmoded ‘best practices’, somewhere along the way the importance of *context* has been lost. I’m not sure it’s possible to pinpoint the exact moment that everything began to shift, but more and more organizations these days are taking a ‘one-size-fits-all’ approach to the protection of their information assets; asking “what does everyone else do?” While it may be a fair question, it’s not the right question to be asking. Asking the right questions takes courage – the courage to challenge the status quo, and to focus on what works instead of what’s popular or convenient.

So just what is ‘Contextual-Relevance’? The basic premise is that, for information security to function properly, it MUST take into account the unique organizational context that applies in any given situation. This fundamental concept is so crucial to the underlying fabric of a successful security program, that is pervades all aspects of the security function. While this isn’t necessarily a revolutionary idea – it’s most certainly an idea that’s received less attention than it should of late.

My goal is to drive the term Contextual-Relevance into the common security lexicon used by all.  It begins here and now!

More to come in future posts...

Related Reading:  Effective Security Requires Context (SecurityWeek)

Related ReadingIntegration, Context-Aware Security Key to Strategy


Possibly Related Articles:
Enterprise Security Policy Security Awareness Security Training
Context Contextual security
Post Rating I Like this!
Marc Quibell Security is about Risk Management. Part of Risk Management's formula (should) include business "organizational context" as you put it. This other article below nearly had it except it forgot to mention how much risk a vulnerability is to the actual business and how much of that risk the business is willing to accept. (
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.