One bit of IT security dogma that's gone unquestioned over the years is the notion that every technology belongs to one of three pillars: confidentiality, integrity, and availability, also known by the abbreviation CIA. Traditionally, a security team is doing its job if it manages to protect the technologies that fall into those three buckets.
For more than 20 years, I've been unsuccessful in completely breaking the CIA model. However, I think two new pillars are strong enough to warrant expanding CIA: compliance and privacy. These concepts are now important enough that if you miss covering them, you aren't providing comprehensive security to the users or assets you're assigned to protect. Adding a "C" and "P" to "CIA" doesn't make for a particularly snappy anagram, unfortunately. CIACP? How about PIC2A? No, I didn't think so. Even though it doesn't spell a word, we should continue.
[ Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Many Fortune 500 companies already have chief compliance officers and chief privacy officers. That's telling. These companies obviously determined that one or both of these issues were getting insufficient attention though the existing CIO or CISO structure. To be fair, those are already full-time jobs without absorbing the responsibilities associated with ensuring compliance and privacy. The fact that compliance and privacy laws, regulations, and requirements differ from country to country makes them tough to manage.
First, let's look at the three pillars of CIA. Confidentiality covers such technologies as access controls, encryption, authentication, authorization, firewalls, and any other technology that prevents unauthorized users from viewing protected content. Integrity encompasses technologies that ensure that content cannot be changed in an unauthorized manner without being detected, including digital signatures, hash algorithms, and public key cryptography. Availability comprises techniques that assure that content is readily accessible to authorized users when needed. Technologies here include fault tolerance, backup power supplies, redundant servers, disaster recovery, RAID storage, and anti-DDoS technologies.