In classes and webinars, I often say Cyber Security is protecting the keys to the digital kingdom. While catchy and overall true, more formally Cyber Security is a discipline that is involved in helping organizations protect their digital information and assets.
The CIA Triad
Almost every organization, large or small, has at least some information which needs to remain private. This might simply be customer, employee, and vendor information or more elaborate forms of intelligence property such as source code or sales/marketing plans.
Regardless of what form of information we are protecting, Cyber Security professionals are guided by three principles, or what I like to call the three promises we make to the organizations for which we work. These principles, or promises, are collectively called the CIA Triad, standing for Confidentiality, Integrity, and Availability.
Confidentiality is probably the most straightforward and easiest to understand. As previously stated, almost every organization has something they need to keep private. Cyber Security professionals are directly involved in helping their organizations secure such data and have many tools in their arsenal to attempt to do so, including encryption, firewalls, intrusion detection, penetration testing, as well as security awareness training and policies.
While it might seem easy to just encrypt everything, in reality Cyber Security has to balance the need to protect information with the need to make such information available so the organization can accomplish its objectives. An outbound sales organization cannot make any sales [KR1] if their sales people cannot access the sales leads database, for example. Cyber Security professionals use the concept of Least Privilege to help decide when and where to grant access to sensitive information.
Integrity is the second promise and involves ensuring that information is not changed in an un-approved[KR2] way. The 1980 ‘s movie “War Games” contains a scene showing a young hacker breaking into his school ‘s computer systems to change grades and it is not uncommon for more recent movies to show hackers changing bank account balances. These are all clear cut examples of an Integrity violation and something Cyber Security professionals seek to prevent from happening. Access controls, logging, monitoring, and auditing are all tools used to ensure the Integrity promise is kept. As with Confidentiality, Cyber Security professionals cannot simply lock away information to prevent an Integrity violation. Information within an organization does and must change (i.e., balances are updated in Accounting systems and new leads enter the Sales databases, etc.), but it must only change in approved and auditable ways. The next time you log into your computer at work or your social media sites, realize that this step is not just an annoying administrative process, but a critical step in being able to show that the Integrity of the organization ‘s information is being maintained.
The last promise, Availability, is often overlooked and I always tell my students to never forget to cover the “A.” Availability involves ensuring that the organization has access to and use of its information, even in the event something does (and it will) happen. Whether that is a breach by a malicious hacker or more likely simply a natural disaster, organizations which lose access to their information have a much higher chance of failing if the Availability promise is not taken into account. Cyber Security professionals must not only protect against digital attackers, but anything which could disrupt access to needed organizational information. Those in the field use concepts such as Business Continuity Planning and Disaster Recovery Planning to ensure that this does not happen to their organizations. In Cyber Security, a balance must always be found between the costs of ensuring access to information and determining which information is critical for the organization to survive an event.
Powered by Woz U Cyber Security programs cover the CIA Triad and all three promises and all of the concepts, tools, and techniques (including all mentioned above and more) needed to ensure individuals become solid Cyber Security professionals able to address all of these promises for the organizations for which they go on to work. For more information about the powered by Woz U Program, please visit: https://woz-u.com/learn/cyber-security/ or click “Request Info” in the upper right corner of this page.