And now, on to one of the biggest challenges we face while having information risk management discussions: What is the value of information?

Information by itself doesn’t have tangible value. It’s value is subjective. Everyone has their own opinion, and many people manipulate the values to serve and twist their message. In fact, the only thing you can really come close to arguing is the value of the medium upon which the information exists. Be it a hard drive, jump drive, or a piece of paper, those things have some kind of agreed-upon value. But the information itself?

Cash, by

Imagine for a minute that you are charged with protecting a pile of cash totaling $100,000 ((I stole this idea from Chuck Hollis. Go check him out.)). Because our financial system is based on the paper having a set value, a dollar is always a dollar. It’s buying power will change over time, but it’s still a dollar. If you are a risk manager, you know that you can’t leave cash out in the open—someone will take it. So you must do something to secure that $100,000.

A good risk manager knows that it’s stupid to build a $10 million vault to protect $100,000 in cash. A good risk manager also knows that other people have already built $10 million vaults, and he could probably lease some space in that vault if he wanted to do so. He could also spend some money on a more cost-appropriate solution for protecting that cash if he wanted to own one. It’s not that difficult when you know the value of the thing you are trying to protect.

Now imagine that instead of being charged with protecting a pile of cash, that I gave you a pile of information to protect. Maybe I’m dramatic and wheel in a Symmetrix array, or more likely, I drop a single thumb drive in your lap. What value would you assign to it? How do you protect it? How much would you spend on systems to keep it safe? How would you ensure its usability during a security event?

Information tends to only have a tangible value after a security event. Not immediately after, but over time when all the dust settles and we can add up all the fines and fees associated with the event. So how does that work when you are architecting solutions to protect some data?

I don’t necessarily think that we’re going to ever crack this nut, and thus we must change how we approach security architecture. We can’t use outdated ALE equations (does anyone actually use those anymore?) for information risk management. We have to figure out what data is important to us to keep critical operations running. We also have to understand who the new breed of attackers are and what data they find valuable. If we have that kind of data, we need to either use advanced (and sometimes expensive) measures to protect it, or outsource that function to someone else. Yep, we’re still in subjective land, but at least we can better focus our efforts on the few key elements we need to protect (enclave) instead of assuming all assets are alike and need to be protected the same way (flat network).

This post originally appeared on

Possibly Related Posts: