What’s happened to availability?

Whatever happened to the A in CIA? That’s what a reader asked recently, referring to the tried-and-true information security triad: Confidentiality (keeping secrets secret), Integrity (ensuring information is not modified) and Availability (keeping electronic doors open and IT shops humming).

Availability has become perhaps the most pressing post-9/11 security issue for network-centric firms. Today, responsibility for network availability is being moved from information security staff to others within the corporate organization. Some firms view availability as part of disaster avoidance. For example, how do you pick a location for a back-up data center? What possibilities must be considered? Acts of God, to be sure. But now, acts of man are in the forefront of our paranoia. Package bombs? Severed transportation or communications links? Shoulder-launched missiles fired from buildings or hilltops? Is availability the responsibility of information security professionals, counterterrorism experts or disaster-recovery teams?

Other companies consider availability a part of business continuity. Some cities now provide utility company specialists to coordinate with local companies and critical infrastructures to ensconce mission-critical power and communications lines in concrete tubes under the streets and ostensibly away from danger. Facilities-management staff often take the lead here, even though the pre-eminent aim is to provide real-time backup, redundancy or fail-safe data centers.

What I see in too many organizations is turf building, budget grabbing and “stovepiping” – vertical building of a hierarchy within a company that has no contact with other divisions or departments. This is the antithesis of what is needed to meet modern, coordinated threats that transcend corporate-divined organizational boundaries.

A new security triad, CPP, redefines the three main areas of security: Cyber (computer, network and information security), Physical (the wires, silicon, glass and structures) and People (employees, consultants, suppliers, partners and anyone in contact with your company). Under this triad, stovepiping of responsibilities and functions creates unnecessary overlap, wasted resources and a mediocre security posture.

Availability should be dealt with in all three legs of the triad. Physical security is valuable and should be part of any serious security efforts, but it cannot be done in a vacuum. Availability is affected by people – internal folks who, with malice or by ignorance, cause network availability to fail. And for organizations thinking about putting availability exclusively into the hands of physical security or business continuity staffs, think again. Denial of service is more than bombs and floods; It also is network clogging, misbalanced traffic loads, too many MP3 or MPG downloads and viruses and worms, to name a few.

All legs of the security triad are important. That’s why stovepiping worries me, and the tales I hear are disturbing.

The best-run security organizations create a horizontal team of experts from many disciplines with a common goal: protect corporate physical and information assets from all forms of weakness and threat. They balance risk, reward and threat against budgets, public confidence, possible government oversight, real losses and other factors. The physical guys run the physical aspects of security; network guys talk to them and coordinate (not duplicate) their efforts; and human resources, security awareness and corporate computer emergency response teams mitigate the effects of insiders who can cause just as much damage as a dedicated adversary.

But these teams must have a true leader – evangelist, if you will – empowered with authority to take the necessary steps to implement a coordinated security effort. Top management needs to recognize that while security is made up of many discrete, often technical, pieces, ultimately strong security is created by strong management that understands the need for operational flexibility in the myriad environments that challenge us today. Take a look at the many pieces of your corporate security efforts, from different angles, and see if you and they are working in harmony or in dissonance doomed to disaster.