MAINFRAME > Administrator > Security

Information Security Is a War

I was recently asked my opinion on the biggest security-related issue facing IT today. My answer? Management is not performing their rightful roles in the security management process. What happens today in most companies is the equivalent of army generals giving soldiers a few weapons and then telling them to figure out which battles to fight.

In other words, management is not providing the strategic leadership and decision making required by their roles in the information security management process. Even more daunting is that the supposed generals in the information-security war don’t seem to recognize this as a problem.

An Analogy

Let’s delve into the war analogy. In an army, generals are responsible for strategic planning and accomplishing the state’s primary objectives. They determine when, where and how best to defeat the enemy. They are also responsible for communicating this strategy, through written orders, to their direct subordinates. Each member of the general’s staff creates more detailed orders for their subordinates, and so on until orders are received by the lowest level commander in the army—second lieutenants.

Second lieutenants determine how they’ll use their squads (usually 12 or so soldiers) to accomplish the specific tasks they’ve been given. For example, to reach a certain hill or town by a specific time. He or she may assign a couple of soldiers to charge up the middle and a few to guard the unit’s rear and flanks, depending on the circumstances and the objectives. Once these assignments are made, it’s up to the soldiers to use their training with established processes and procedures to successfully accomplish their tasks.

Soldiers (company grade officers and enlisted men) perform specific tasks designed to help higher-level field grade officers achieve their assigned objectives. General officers ensure (or are supposed to ensure) soldiers are properly equipped and trained for the battles that the commander intends them to fight. Soldiers don’t decide which battles will be fought; only how to use the training and tools they’ve been given to most effectively and efficiently fight the battles into which their officers lead them.

Tasks and objectives assigned to individual soldiers rarely can be used to discern an army’s overall objectives.

At the highest level, orders define strategy and objectives for the entire army. For example, “We will defeat Hitler by invading the European continent on the Normandy coast of France, gaining a beachhead, and spearheading a drive through France to Germany.”

Orders at the lowest level, define tasks and the processes and procedures soldiers will use to accomplish those tasks. For example, “our company’s task is to gain control of the town of St. Mare Eglise. We will parachute into the Cotentin peninsula about 5 miles south of town. By dawn of D-Day, third platoon will secure the northern entrance into the town and prevent an enemy counterattack. First squad, third platoon will ensure that the town hall tower is clear of all enemy snipers and spotters, denying the enemy the tactical information they need to launch a counterattack. The rest of third platoon will set up a machine gun nest on all north-south roads. You can expect artillery support from ships off the coast.”

Orders often include a section entitled “Commanders Intent.” This section explains an order in more detail and provides a sort of framework that helps subordinates make decisions when the commander cannot be reached or there is no time to consult the commander.

Sans knowledge of the overall army objectives, observing the results of individual unit responsibilities won’t tell you how well you are progressing toward the army’s objectives.

The general’s strategy and objectives are fairly concrete. Once they’re set, they don’t change very often. Soldiers’ tasks and the processes and procedures they use to accomplish them will change much more often depending on the nature of the task and the behavior of the enemy.

Patrick Botz is the principal consultant and founder of Botz & Associates Inc., architect of the SSO stat! service and former head of the IBM Lab Services Security Consulting practice. He can be reached via

Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.

comments powered by Disqus



2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


Addressing Common RACF Configuration Issues

A Perfect Union

New encryption facility for z/OS strengthens mainframe bond.

Avoiding Security by Obscurity

Data security is not just an IT department issue.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters