To an “old school” infosec practitioner (like myself) confidentiality is the most emphasized element of the CIA triad (integrity/availability) because the risks associated with the failure to provide confidentiality are usually the biggest and the regulations can be the stickiest (e.g., PII, PCI, HIPAA).

“New school” practitioners are likely to view things a bit differently. When you have grown up with “where you are/what you did/who you did it with” posted for the world to see on MySpace/ Facebook … the boundaries between private and public are pretty thin. Rather than ramp back, many are continuously broadcasting their whereabouts and activities using Four Square and Twitter.  GenY folks are just not all that concerned about confidentiality … because they are not that concerned about privacy.

My conversations with GenY have altered my views on privacy quite a bit.  So has my work as a social engineer.  So has the fact that I have had my Personally Identifiable Information disclosed by multiple retailers and a mortgage company.  In short, the Genie is already out of the bottle and there is no way to get the cork back on.  If you don’t agree with me, Google yourself, and take a look at tools like pipl.com, paterva.com, and jigsaw.com. If you’re anyone who has at least partially embraced the internet — birthdates, mortgages, judgments, addresses, your work history, your military records (including serial number), Social Security Numbers, purchases you made on Amazon, your woeful performance in your fantasy football league, posts you made on the dementia message boards — are all just a click away.

So if our “private” information is now “public” do we really need confidentiality?  Does it really matter if someone knows my Social Security Number? Driver’s License Number? Address?

Sadly it probably still does — because those items are often inappropriately used as a form of authentication.  However, as GenY folks take more prominent roles in politics and information security I would not be surprised to see some big changes. Most notably a de-emphasizing of confidentiality and an emphasizing of authentication and authorization.

I’m ready …

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information