Photo Credit: yummysmellsca via Compfight cc
We all tend to worry about what we eat nowadays. We want to be healthy, control fat consumption to increase our life expectancy and reduce the risk of disease. That aspect of risk reduction makes it a bit like information security.
Of course, dieting is a kind of torture for a lot of people. A good diet usually involves substituting certain food (usually delicious but sadly unhealthy) for good food – so fewer grains like rice and more vegetables, and chicken breast instead of a big steak with sausage or butter, for instance. Unfortunately most people make the change without any preparation or nutritional advice and can end up experiencing health problems like loss of strength, fainting and even digestive problems because their diet is unbalanced.
In information security, change management practices are crucial in keeping continuity and availability of information. Install a new security device or policy without preparing the users and you will cause trouble, just like a bad diet affects our body. It sounds weird but companies are living systems too.
Also consider the relation between all the nutrients we eat daily and how information security plans are implemented in organisations. Let’s start by talking about the Harris-Benedict equation which helps us assess many calories we have to eat per day according to our energy consumption – in other words, how much energy we need for our normal day activities. With this information a nutritionist can give us an amount of proteins, carbohydrates, vitamins, fats and mineral salts to eat each day, in the form of vegetables, milk, bread, meat and other foods.
When you start to create a security plan for a company you have to be like that nutritionist. You can start with a risk evaluation and then choose how much security awareness you have to do in a year,. You also have to define technical controls to manage security in endpoints, and define rules to deploy security policies.
So we can find a relation between nutrition and security controls: we have to know the subject/company to define what he/it needs to eat/deploy to be healthy/secure and it’s true that any unbalanced consumption/definition of food/control will create a negative impact on the subject/company. You could eat a lot of fat, or install a DLP system that denies all data transfers; in both cases there are bad impacts that will cause health problems and security flaws.
Whether you talking about food or secuirty, it’s all about balance.