The Magic Triangle of IT Security

CSO - The myths of the CIA triad Have you ever considered taking a role as the most senior person for information security working at a large corporation? Then you must be prepared to understand the key principles of information security-and how they really apply to life and business.

We all understand the typical C-I-A triad (written in this sequence because it's so easy to remember with the 3-letter agency acronym), where C stands for Confidentiality, I for Integrity and A for Availability. But, what I have realized and seen from many people during my professional life-people who are well-educated about security and who are really committed to keeping secure the information of the company they are working for-is this: They all overstate the importance of confidentiality.

Sure, I don't need to tell you that confidentiality is in fact important. But, if you really think about it, what is the true business impact if some confidential information leaks? It certainly depends on the specific circumstances. Has intellectual property been compromised? Have marketing plans been shared with another sales department? Or even price lists? Or has a major planned acquisition been become public knowledge and suddenly the stock price of the acquisition target goes through the roof? Maybe you will have to deny any such plans, wait until the stock price has normalized and perform the acquisition afterwards. Or sue the thief who stole and/or used your intellectual property. Or make your clients aware of unfair business practices of the competitor who uses that price information. Anyway, the immediate (please note the emphasis) business impact in most cases is not as high as you may have thought.

Even after a competitor has gained that extra knowledge which may take away an edge of your competitiveness (there are in fact fair-playing competitors who might give it back to you without using a copy of it)-before this really arrives into your balance sheet, months and years can go by, and you have time to respond and react to it.

But now, realize why IT is used today in almost all businesses, industries, and organizations of any size. And realize that the availability of the IT systems and data is of utmost importance. Let's say your major ERP system goes down for a day or two. What kind of outcry from the business, board room attention, and extra money (available to fix the issue immediately) would be guaranteed?

It is because this kind of "breach" is an immediate, measurable, direct loss, which impacts-or in the worst case interrupts-the companies' ability to make money. You will be amazed, that suddenly there is no more RO(S)I discussion, budget restriction, or similar pain we all have been through. Because everyone up to the board level immediately understands that this kind of loss needs action-because it is a direct foundation of the company's stability and even existence.

Reprinted with permission from

This story is reprinted from CSO Online.com, an online resource for information executives.
Story Copyright CXO Media Inc., 2006. All rights reserved.