Robert Garigue: Three Information Security Domains–the Physical (Old), the Process (Current), and the Content (Future)

Advanced Cyber/IO, Citizen-Centered, ICT-IT, Policies-Harmonization, Strategy-Holistic Coherence, Threats, True Cost
Click to Enlarge

Core Point:  The US national security world is still operating under a two conflicting paradigms: stovepipes within which authorized users have access to everything in the stovepipe (more or less); and isolated stovepipes in which external authorized users have to spend 25% of their time gaining access to 80+ databases (or worse, don't bother), and if they forget their password, a 2-3 day gap while access is restored.  What SHOULD have happened between 1986 when this was first pointed out and 1994 when the national alarm was sounded, was full excryption at rest of all documents, and a combination of automated access roles and rules together with anomaly detection at any point in the system including external drives.  The good news: 90% or more of what needs to be shared is NOT SECRET.  Bad news: someone other than the US Government “owns” that 90%.  The US system is not capable of ingesting and then exploiting that 90%.

See Also:

Robert Garigue, “Technical Preface” to Book Three

Robert Garigue, CISO Briefing

Robert Garigue: Information Security MANDATE

Advanced Cyber/IO, ICT-IT, Multinational Plus, Strategy-Holistic Coherence, Threats
Click to Enlarge

Core Point:  Information Security must enable both risk and advance–for example, M4IS2 (multinational, multiagency, multidisciplinary, multidomain information-sharing and sense-making).  Today cyber-security is an OBSTACLE to progress because it is, in one word, retarded–in two-words, risk-averse rather than risk-bounding.

See Also:

Robert Garigue, “Technical Preface” to Book Three

Robert Garigue, CISO Briefing

Robert Garigue: Structuring Risks (Role of Security)

Advanced Cyber/IO, ICT-IT, Strategy-Holistic Coherence, Threats
Click to Enlarge

Credited by Robert Garigue to Gabe Davids of EDS.

Core Point:  Done properly, security enables MORE risk-taking, allows one to do MORE with LESS.  In other words, cyber-security policies that are risk-averse instead of risk-enabling are, in a word, retarded and retard the enterprise.  Case in point: Wikileaks leading to no more flash drives–what SHOULD be in place is all the flash drives one wishes, but embedded security that prevents or flags abuse of those flashdrives.

See Also:

Robert Garigue, “Technical Preface” to Book Three

Robert Garigue, CISO Briefing

Robert Garigue: When Everything Else is Distributed….

Advanced Cyber/IO, Strategy-Holistic Coherence, Threats
Click to Enlarge

Core Point:  It is not possible to have centralized cyber-anything if both the human end-users and all of the (multi-media and multi-lingual) data is distributed.  This is especially true of security, which is historically several steps behind mission area processes to begin with, and any form of top-down “regulation” that tends to appear after the fact rather than “just in time.”

See Also:

Robert Garigue, “Technical Preface” to Book Three

Robert Garigue, CISO Briefing

Gunnar Peterson on Robert Garigue’s Last Briefing

Advanced Cyber/IO
Gunnar Peterson
Click to Enlarge

The issue that Dr. Garigue articulated as well as anyone I have seen is that Information Security is not just security or just information. I have [this] slide printed out hanging above my desk for several years.

Most security people struggle with this concept, and try to separate these two concepts, and if they do, they miss two very important issues. First, they miss the opportunity to look at security as a business enabler. Dr. Garigue pointed out that because cars have brakes, we can drive faster. Security as a business enabler should absolutely be the starting point for enterprise information security programs. One excellent example of this is identity federation, which enables an easier integration across companies and technologies and puts stronger identity credentials on the wire in the process. Secondly, if your security model reflects some CYA abstraction of reality instead of reality itself your security model is flawed. I explored this endemic myopia in a series of posts on decentralization and security. JSB and John Hagel taught us that intgeration and friction cannot be separated, attempts to do so lead to confusion and disorder, and this is the heart of the issue Dr. Garigue's work is articulating. If your business and systems are decentralizing with both hands, and your security model is predicated on centralized, iron fisted control, then the only place your security model works is on the whiteboard.

Emphasis added.  Read rest of commentary….

See Also:

Robert Garigue, “Technical Preface” to Book Three

Robert Garigue, CISO Briefing