Back in May of 2019, Jeff Man gave a talk at the Tribe of Hackers Summit in Austin, Texas. In his talk, he asked "what is security?"
The question was so simple, so fundamental, to my work, yet I struggled to define security without using the word itself. As I pondered the question, I wanted a definition that would transcend technology. The definition had to apply to technical systems, non-technical systems, and even non-systems. The working definition that I came with is as follows:
Security is the practice of protecting something of value to prevent it from suffering misuse, damage, or destruction.
Let's unpack this a bit:
Security is a practice. This is important. The word practice captures the active nature of security. It is a process. It is never done. We can never step back and say "there, now we are secure." We must continue to maintain and improve because the threats to security never stand still.
We are protecting something of value. This can apply to any asset or use case, from technology, to public safety, bank vaults, bars, brand reputation, and even Rapunzel up in her tower.
We want to prevent that item of value from suffering misuse, damage, or destruction. The definition carefully leaves room to apply the impact of a threat to the asset in any way that diminishes its value. This is applicable to any asset, tangible or intangible, and allows for an infinitely broad range of examples of threats to that value. We are not limited to a technical application through this wording.
What do you think? Use the button at the top of the page to follow me on Twitter and start a conversation!