Case Study - InfoSec Misconceptions (Q&A)
Intro
In this case study, we’ll discuss something different. Instead of talking about things that are highly technical. We’ll talk about something conceptual. InfoSec (short for Information Security) is the practice of protecting information by mitigating information risks (Wikipedia). There is a number of misconceptions people have in regards to InfoSec. In this case study, we are going to look at a few of them and provide my point of view.
Is InfoSec a new industry?
The information industry can be considered a fairly new industry. However, the security industry is not a new industry. The concept of security already existed since the first day that people had something they care about and were afraid of losing, usually in the form of people or asset. Historically, security industry served in royal courts, armies, goods transports etc. Nowadays, since the booming of the information industry, people start caring about their information. Therefore, security also serves the information industry in the name of InfoSec.
Why should companies scan their own websites?
If they don’t, hackers will.
What is the most important thing in InfoSec?
Before answering what is regarded as the “most” important, we will address what is the “second” important thing. Let’s start by thinking about this question: “in an organization that has a lot of assets, such as computers, buildings, software etc, what do you feel is the second important thing from InfoSec pov?” The answer is: “data”. And it’s only second to human lives.
What’s your experience level in InfoSec?
24/7
How do people in InfoSec think?
InfoSec, down to the end, is nothing special but common sense. However, it is common sense based on a different set of defaults to people who are not in this industry. For instance, considering telemarketing as an example. Once you realized it’s a telemarketer, you may hang up and block the number. And truely, nowadays, phones all implement the block-list feature and overtime, you may end up with a huge block-list. The design concept that allows everyone to call everyone inevitably served as an initiative for this phenomenon. If you asked an InfoSec person to start with the design concept, it may goes like this: “let there be an allow-list so that only people on the list can call me”.
The company has very limited budget for InfoSec, what countermeasures should be implemented first?
Buy a business insurance.