For the last few days, I have been thinking about doing a series of blog posts around the theme Essential Truths in  Information Security. In these posts, I will discuss a number of lessons that I learned while working in information security.

Today's truth is: Understand what you protect. For an information security professional to be successful, just understanding how to protect a resource is not enough. A deeper understanding of your organization's assets is at least as import: what are the resources that you are trying to protect? How important are those resources to the organization? What kind of controls are appropriate?

Understanding what you protect requires knowledge about the business side of life. After all, information security is not a goal; it is a means to manage risks to information and to ensure that those risks are at an acceptable level. Who decides what is acceptable and what is not? Most certainly it is not the information security professional; our job is to identify risks and point out what the consequences might be if a risk manifests itself.

We will also suggest how those risks may be mitigated, but in the end, that decision is not up to us. Once the decision has been made, we will work to implement, operate, and monitor information security controls to see how effective they are. More often than not, information security professionals will also coordinate how information security incidents are resolved.

Determining what measures will be taken while responding to an incident is something that we need help of "the business" for. They, not us, know what the impact of containment or eradication actions are.

Understand what you protect

Realize that putting information security controls in place is not a goal, but a means to achieve a business goal. Understand what you protect.