How do you know when something is secure? (Part 1)

April 04, 2014
Kevin Lam

I had a bunch of meetings this week, as I imagine we all did, but two of them really stood out that I think you could really benefit from hearing about:

  • Meeting #1: A rather large company wanted to move highly sensitive data to the cloud. One of the projects leads kept insisting that all they needed to do was encrypt the data and that would stop any malicious hackers.
  • Meeting #2: Another company felt that they didn’t have to encrypt their data and that continuing to use email to send healthcare information was fine, because “our email accounts require passwords, and we use strong passwords, so it’s already secure …”

These companies are screwed. But, but, they are using encryption and strong passwords. And aren’t these are all good things that make things more secure? Yes they are and yes they do, but sorry these companies are still screwed.  Here’s how I know …

The Most Ridiculously Simple Security Pro Secret You’ll Ever Hear

Most security pros know this secret, and that is security is people, process and technology.  It’s important, so here it is once again: security is people, process and technology. When all three of these intersect and work together, that’s when you get great and incredibly effective security:

  • People: The part of the security equation speaks to how well users are educated.
  • Process: This part talks about the steps and procedures that need to be followed in order to keep data secure.
  • Technology: This final piece covers the technologies being used to provide the security, like firewalls, anti-virus software and encryption technologies.

This is a deceptively simple, but powerful framework for measuring how secure something is.  You can literally take any past data breach event and understand immediately why that breach happened, and most importantly how to prevent it from happening to you.  Or look at any mobile/cloud/whatever service or software and immediately get a good idea about the security of it.

That’s it for this week.  I want you to first stew on these three components just for a little bit, and then over the next couple parts I’ll teach you how to apply it to virtually any security scenario you’ll come across, and tell if something is secure or not.

Until then, have a great Friday,

Kevin Lam signature

Kevin Lam

P.S. Don’t forget to sign up for our Data Protection Friday mailing list and get all our future articles delivered to your inbox.